paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-10 17:07:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

frontend: Defensively filter unsafe links that may come from bugdown.

Browse Source 
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
This commit is contained in:
Anders Kaseorg
2020-03-23 19:53:15 -07:00
committed by Tim Abbott
parent 64856d858e
commit 76ce370181
2 changed files with 13 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
static/js/util.js
View File

@@ -367,9 +367,17 @@ exports.clean_user_content_links = function (html) {
continue;
}
// We detect URLs that are just fragments by comparing the URL
// against a new URL generated using only the hash.
if (url.hash === "" || url.href !== new URL(url.hash, window.location.href).href) {
if (
// eslint-disable-next-line no-script-url
["data:", "javascript:", "vbscript:"].indexOf(url.protocol) !== -1
) {
// Remove unsafe links completely.
elt.removeAttribute("href");
} else if (
// We detect URLs that are just fragments by comparing the URL
// against a new URL generated using only the hash.
url.hash === "" || url.href !== new URL(url.hash, window.location.href).href
) {
elt.setAttribute("target", "_blank");
elt.setAttribute("rel", "noopener noreferrer");
} else {