Improvements in app/assets/javascripts/lib/utils/url_utility.js

app/assets/javascripts/lib/utils/url_utility.js contains a collection of functions to manipulate and validate URLs. However, there are important deficiencies in these functions. URLs seem simple, but the specification is complex. Over simplistic implementations could lead to security holes, like cross-site leaks. In addition, some of these function doesn't handle well relative installations, for example https://example.com/gitlab.

Below, we propose improvements for each of these functions with the following overarching goals:

  • Remove reliance on RegExps. Instead use the URL constructor. Even better, create a wrapper around the URL constructor that only allow string as arguments, to avoid surprises like new URL(undefined, 'https://example.com') which results in https://example.com/undefined.
  • Most of the functions should throw errors if the URLs or part of them are invalid. The errors should be dealt upstream by the consumer of the utilities.
  • Use the current page location window.location.href uniformly as the base url for the URL constructor.
  • Standardize the capitalization of URL: url, lower-case, if it is the first "word" of an identifier (const url = ..., urlGetPathname) or URL, upper-case, otherwise (encodeSaferURL).
  • More accurate names for functions and variable. More consistency in the names.
  • encodeSaferUrl
  • cleanLeadingSeparator
  • cleanEndingSeparator
  • joinPaths
  • getParameterValues
  • mergeUrlParams
  • removeParams
  • getLocationHash
  • doesHashExistInUrl
  • urlContainsSha
  • getShaFromUrl
  • setUrlFragment
  • updateHistory
  • escapeFileUrl
  • webIDEUrl
  • getBaseURL
  • isAbsolute
  • isRootRelative
  • isBase64DataUrl
  • isBlobUrl
  • isAbsoluteOrRootRelative
  • pathSegments
  • isExternal
  • relativePathToAbsolute
  • isSafeURL
  • sanitizeUrl
  • getNormalizedURL
  • getWebSocketProtocol
  • getWebSocketUrl
  • urlParamsToArray
  • getUrlParamsArray
  • queryToObject
  • getParameterByName
  • objectToQuery
  • setUrlParams
  • urlIsDifferent
  • getHTTPProtocol
  • stripPathTail
  • getURLOrigin
  • isSameOriginUrl
  • constructWebIDEPath
  • removeUrlProtocol
  • removeLastSlashInUrlPath
  • visitUrl
  • visitUrlWithAlerts
  • refreshCurrentPage
  • buildURLwithRefType
  • parseUrlPathname
Edited by Eduardo Sanz García