From 1d1c1550ca470889674ac41fe809f357810485f3 Mon Sep 17 00:00:00 2001
From: BuckarooBanzay <BuckarooBanzay@users.noreply.github.com>
Date: Tue, 22 Jun 2021 10:32:21 +0200
Subject: [PATCH 1/2] sanitize url before sending

---
 nic.lua | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/nic.lua b/nic.lua
index c717fb2..43330e4 100644
--- a/nic.lua
+++ b/nic.lua
@@ -62,6 +62,8 @@ minetest.register_node("digistuff:nic", {
 						-- not supported
 						return
 					end
+					-- sanitize url
+					url = string.gsub(url, "%s", "%%20")
 					http.fetch({
 							url = url,
 							timeout = 5,

From 82cf9aa557744471e333082dc32ccccb1f43e771 Mon Sep 17 00:00:00 2001
From: OgelGames <48543043+OgelGames@users.noreply.github.com>
Date: Tue, 22 Jun 2021 20:44:08 +1000
Subject: [PATCH 2/2] escape all unsafe characters

---
 nic.lua | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/nic.lua b/nic.lua
index 43330e4..a278338 100644
--- a/nic.lua
+++ b/nic.lua
@@ -1,4 +1,18 @@
 local http = ...
+
+local function char_to_hex(c)
+	return string.format("%%%02X", string.byte(c))
+end
+
+local function safe_url(url)
+	url = url:gsub("%s+", "%%20")  -- space characters
+	url = url:gsub("%%$", "%%25")  -- percent at the end of the url
+	url = url:gsub("%%(%x?%X)", "%%25%1")  -- percents that are not escapes
+	url = url:gsub("\\", "/")  -- backslash to forward slash
+	url = url:gsub("[^%w:/%?#%[%]@!%$&'%(%)%*%+,;=%-%._~%%]", char_to_hex)  -- everything else unsafe
+	return url
+end
+
 minetest.register_node("digistuff:nic", {
 	description = "Digilines NIC",
 	groups = {cracky=3},
@@ -63,7 +77,7 @@ minetest.register_node("digistuff:nic", {
 						return
 					end
 					-- sanitize url
-					url = string.gsub(url, "%s", "%%20")
+					url = safe_url(url)
 					http.fetch({
 							url = url,
 							timeout = 5,