frontend: Defensively filter unsafe links that may come from bugdown.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2025-10-23 04:52:12 +00:00 · 2020-03-23 19:53:15 -07:00
parent 64856d858e
commit 76ce370181
2 changed files with 13 additions and 3 deletions
--- a/frontend_tests/node_tests/util.js
+++ b/frontend_tests/node_tests/util.js
@@ -311,10 +311,12 @@ run_test("clean_user_content_links", () => {
        util.clean_user_content_links(
            '<a href="http://example.com">good</a> ' +
            '<a href="http://localhost:NNNN">invalid</a> ' +
+            '<a href="javascript:alert(1)">unsafe</a> ' +
            '<a href="/#fragment" target="_blank">fragment</a>'
        ),
        '<a href="http://example.com" target="_blank" rel="noopener noreferrer">good</a> ' +
        '<a>invalid</a> ' +
+        '<a>unsafe</a> ' +
        '<a href="/#fragment">fragment</a>'
    );
 });
--- a/static/js/util.js
+++ b/static/js/util.js
@@ -367,9 +367,17 @@ exports.clean_user_content_links = function (html) {
            continue;
        }

+        if (
+            // eslint-disable-next-line no-script-url
+            ["data:", "javascript:", "vbscript:"].indexOf(url.protocol) !== -1
+        ) {
+            // Remove unsafe links completely.
+            elt.removeAttribute("href");
+        } else if (
            // We detect URLs that are just fragments by comparing the URL
            // against a new URL generated using only the hash.
-        if (url.hash === "" || url.href !== new URL(url.hash, window.location.href).href) {
+            url.hash === "" || url.href !== new URL(url.hash, window.location.href).href
+        ) {
            elt.setAttribute("target", "_blank");
            elt.setAttribute("rel", "noopener noreferrer");
        } else {