fix: don't render redirect values in anchor href

Co-authored-by: Ulises Gascón <ulisesgascongonzalez@gmail.com>

test/res.redirect.js

@@ -106,7 +106,7 @@ describe('res', function(){
       .set('Accept', 'text/html')
       .expect('Content-Type', /html/)
       .expect('Location', 'http://google.com')
-      .expect(302, '<p>Found. Redirecting to <a href="http://google.com">http://google.com</a></p>', done)
+      .expect(302, '<p>Found. Redirecting to http://google.com</p>', done)
     })
 
     it('should escape the url', function(done){
@@ -122,9 +122,27 @@ describe('res', function(){
       .set('Accept', 'text/html')
       .expect('Content-Type', /html/)
       .expect('Location', '%3Cla\'me%3E')
-      .expect(302, '<p>Found. Redirecting to <a href="%3Cla&#39;me%3E">%3Cla&#39;me%3E</a></p>', done)
+      .expect(302, '<p>Found. Redirecting to %3Cla&#39;me%3E</p>', done)
     })
 
+    it('should not render evil javascript links in anchor href (prevent XSS)', function(done){
+      var app = express();
+      var xss = 'javascript:eval(document.body.innerHTML=`<p>XSS</p>`);';
+      var encodedXss = 'javascript:eval(document.body.innerHTML=%60%3Cp%3EXSS%3C/p%3E%60);';
+
+      app.use(function(req, res){
+        res.redirect(xss);
+      });
+
+      request(app)
+      .get('/')
+      .set('Host', 'http://example.com')
+      .set('Accept', 'text/html')
+      .expect('Content-Type', /html/)
+      .expect('Location', encodedXss)
+      .expect(302, '<p>Found. Redirecting to ' + encodedXss +'</p>', done);
+    });
+
     it('should include the redirect type', function(done){
       var app = express();
 
@@ -137,7 +155,7 @@ describe('res', function(){
       .set('Accept', 'text/html')
       .expect('Content-Type', /html/)
       .expect('Location', 'http://google.com')
-      .expect(301, '<p>Moved Permanently. Redirecting to <a href="http://google.com">http://google.com</a></p>', done);
+      .expect(301, '<p>Moved Permanently. Redirecting to http://google.com</p>', done);
     })
   })