security: sanitize markdown link URLs to prevent javascript: XSS

Only allow http/https URLs in rendered markdown links. Replace any
non-http(s) URL with '#' to prevent potential javascript: URI attacks.
This commit is contained in:
shinchan-zhai
2026-03-23 09:44:32 +08:00
parent 9c49a4c8cc
commit 7b602e70e6

View File

@@ -189,10 +189,13 @@ function renderInline(text: string): (string | JSX.Element)[] {
} else if (part.match(/^\[([^\]]+)\]\(([^)]+)\)$/)) {
const match = part.match(/^\[([^\]]+)\]\(([^)]+)\)$/)
if (match) {
const href = match[2]
// Only allow http/https links to prevent javascript: XSS
const safeHref = /^https?:\/\//i.test(href) ? href : '#'
result.push(
<a
key={i}
href={match[2]}
href={safeHref}
target="_blank"
rel="noopener noreferrer"
style={{ color: '#F0B90B', textDecoration: 'underline', textUnderlineOffset: 2 }}