Skip to content

fix: add type safety to res.location to prevent encodeUrl crash #6947

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ST4RKJR wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: add type safety to res.location to prevent encodeUrl crash #6947

ST4RKJR wants to merge 1 commit into from
+246 −212

Conversation

@ST4RKJR
Copy link

@ST4RKJR ST4RKJR commented Dec 4, 2025

res.location() currently passes the value directly into encodeUrl(url).
If url is not a string (e.g., null, undefined, numbers, objects), this
causes a TypeError and crashes the response.

This PR adds a small input guard that normalizes the value using
String(url ?? ''), ensuring encodeUrl always receives a valid string
and preventing runtime crashes.

This is a code-only, backward-compatible safety improvement.

@ST4RKJR
Copy link
Author

ST4RKJR commented Dec 4, 2025

Hi maintainers 👋
This PR adds a small safety improvement to res.location() to prevent encodeUrl() from throwing on non-string input.
Happy to update anything if needed. Thanks for reviewing!

@krzysdz
Copy link
Contributor

krzysdz commented Dec 4, 2025

So now invalid inputs will be quietly ignored without a trace? That doesn't sound like a good idea. While I understand that getting errors is annoying, it is much easier to debug problems if they are clearly signalled.

@ST4RKJR ST4RKJR force-pushed the fix/res-json-return branch from 9d7347e to d007023 Compare December 4, 2025 11:50
@ST4RKJR
Copy link
Author

ST4RKJR commented Dec 4, 2025

So now invalid inputs will be quietly ignored without a trace? That doesn't sound like a good idea. While I understand that getting errors is annoying, it is much easier to debug problems if they are clearly signalled.

Thanks for the feedback! You're right — silently coercing invalid values
could hide mistakes and make debugging harder. I updated the PR to throw
a descriptive TypeError instead when res.location() receives a
non-string value. This makes the behavior explicit and avoids unexpected
silent failures.

Happy to adjust further if needed!

@ST4RKJR ST4RKJR force-pushed the fix/res-json-return branch from d007023 to af9bfbd Compare December 4, 2025 11:56
@ST4RKJR
Copy link
Author

ST4RKJR commented Dec 4, 2025

Thanks for the feedback — the previous version was too strict and didn't
match existing Express behavior. I've updated res.location() to:

  • accept URL instances,
  • coerce all non-string inputs using String(),
  • avoid silent ignoring of invalid values,
  • and maintain backward compatibility.

This now aligns with the expectations in test/res.location.js.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ST4RKJR @krzysdz