mirror of
https://github.com/NoFxAiOS/nofx.git
synced 2026-07-14 00:07:01 +08:00
security: sanitize markdown link URLs to prevent javascript: XSS
Only allow http/https URLs in rendered markdown links. Replace any non-http(s) URL with '#' to prevent potential javascript: URI attacks.
This commit is contained in:
@@ -189,10 +189,13 @@ function renderInline(text: string): (string | JSX.Element)[] {
|
|||||||
} else if (part.match(/^\[([^\]]+)\]\(([^)]+)\)$/)) {
|
} else if (part.match(/^\[([^\]]+)\]\(([^)]+)\)$/)) {
|
||||||
const match = part.match(/^\[([^\]]+)\]\(([^)]+)\)$/)
|
const match = part.match(/^\[([^\]]+)\]\(([^)]+)\)$/)
|
||||||
if (match) {
|
if (match) {
|
||||||
|
const href = match[2]
|
||||||
|
// Only allow http/https links to prevent javascript: XSS
|
||||||
|
const safeHref = /^https?:\/\//i.test(href) ? href : '#'
|
||||||
result.push(
|
result.push(
|
||||||
<a
|
<a
|
||||||
key={i}
|
key={i}
|
||||||
href={match[2]}
|
href={safeHref}
|
||||||
target="_blank"
|
target="_blank"
|
||||||
rel="noopener noreferrer"
|
rel="noopener noreferrer"
|
||||||
style={{ color: '#F0B90B', textDecoration: 'underline', textUnderlineOffset: 2 }}
|
style={{ color: '#F0B90B', textDecoration: 'underline', textUnderlineOffset: 2 }}
|
||||||
|
|||||||
Reference in New Issue
Block a user