Security: Doesn't encode urls with punycode

[SamuelScheit]

Malicious actors could trick victims into click phishing links, because they look exactly like the valid original domain.
E.g. the original apple.com url could be converted using the cyrillic alphabet to аррlе.com which looks identical to the original url.
That's why the browser encodes urls with special characters using punycode to xn--l-7sbq6ba.com
You can check it, if you enter this in the browser console:

new URL("https://аррlе.com").href

this should result in

'https://xn--l-7sbq6ba.com/'

However this react-native-url-polyfill library doesn't encode urls using punycode which results in a huge security risk for the end user.

[charpeni]

Thanks for bringing this concern.

I think this is still better than React Native's implementation, but still not perfect.

What would you suggest in order to address this issue while remaining lightweight? Should we try to encode them with a lightweight library? Should we throw on URLs with special characters?

[SamuelScheit]

I'm not sure, but it looks like you are using whatwg-url-without-unicode and I don't know if it can encode those urls.
Maybe the package whatwg-url does support it

[charpeni]

Yes. I'm the author of whatwg-url-without-unicode and it doesn't support unicode so we can use URL and URLSearchParams with a smaller footprint (372 KB to 40.9 KB).

[SamuelScheit]

Wow thats a lot, I appreciate the effort, maybe there is a lightweight punycode lib to handle this issue.