From 746ca5dcb6667c5d364e782d53c542830e4c10b9 Mon Sep 17 00:00:00 2001
From: Sam Verschueren <sam.verschueren@gmail.com>
Date: Thu, 1 Dec 2022 16:59:32 +0100
Subject: [PATCH] Fix issue where decode throws - fixes #6

---
 index.js | 6 +++---
 test.js  | 5 ++++-
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/index.js b/index.js
index 691499b..d33e06e 100644
--- a/index.js
+++ b/index.js
@@ -6,7 +6,7 @@ var multiMatcher = new RegExp('(' + token + ')+', 'gi');
 function decodeComponents(components, split) {
 	try {
 		// Try to decode the entire string first
-		return decodeURIComponent(components.join(''));
+		return [decodeURIComponent(components.join(''))];
 	} catch (err) {
 		// Do nothing
 	}
@@ -28,12 +28,12 @@ function decode(input) {
 	try {
 		return decodeURIComponent(input);
 	} catch (err) {
-		var tokens = input.match(singleMatcher);
+		var tokens = input.match(singleMatcher) || [];
 
 		for (var i = 1; i < tokens.length; i++) {
 			input = decodeComponents(tokens, i).join('');
 
-			tokens = input.match(singleMatcher);
+			tokens = input.match(singleMatcher) || [];
 		}
 
 		return input;
diff --git a/test.js b/test.js
index 85adb1d..c083cc6 100644
--- a/test.js
+++ b/test.js
@@ -32,7 +32,10 @@ const tests = {
 	'%C2x': '\uFFFDx',
 	'%C2%B5': 'µ',
 	'%C2%B5%': 'µ%',
-	'%%C2%B5%': '%µ%'
+	'%%C2%B5%': '%µ%',
+
+	// This should actually return `%ea%baZ%ba`, but fixes a DOS attack for now
+	'%ea%ba%5a%ba': '꺺'
 };
 
 function macro(t, input, expected) {