From 2ce57df485691cd02d78acb8d39f63005e318365 Mon Sep 17 00:00:00 2001
From: Pete Matsyburka <pete.matsy@gmail.com>
Date: Wed, 13 Mar 2024 11:09:18 +0200
Subject: [PATCH] sanitize href

---
 app/javascript/submission_form/completed.vue        | 8 +++++++-
 app/javascript/submission_form/markdown_content.vue | 7 ++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/app/javascript/submission_form/completed.vue b/app/javascript/submission_form/completed.vue
index 97f43d62..d8aadd72 100644
--- a/app/javascript/submission_form/completed.vue
+++ b/app/javascript/submission_form/completed.vue
@@ -16,7 +16,8 @@
     <div class="space-y-3 mt-5">
       <a
         v-if="completedButton.url"
-        :href="completedButton.url"
+        :href="sanitizeHref(completedButton.url)"
+        rel="noopener noreferrer nofollow"
         class="white-button flex items-center w-full"
       >
         <span>
@@ -215,6 +216,11 @@ export default {
 
       this.isDownloading = false
     },
+    sanitizeHref (href) {
+      if (href && href.trim().match(/^((?:https?:\/\/)|\/)/)) {
+        return href.replace(/javascript:/g, '')
+      }
+    },
     downloadSafariIos (urls) {
       const fileRequests = urls.map((url) => {
         return fetch(url).then(async (resp) => {
diff --git a/app/javascript/submission_form/markdown_content.vue b/app/javascript/submission_form/markdown_content.vue
index 5b1a7c59..32ecd3d5 100644
--- a/app/javascript/submission_form/markdown_content.vue
+++ b/app/javascript/submission_form/markdown_content.vue
@@ -6,7 +6,7 @@
     >
       <a
         v-if="item.startsWith('<a') && item.endsWith('</a>')"
-        :href="extractAttr(item, 'href')"
+        :href="sanitizeHref(extractAttr(item, 'href'))"
         rel="noopener noreferrer nofollow"
         :class="extractAttr(item, 'class') || 'link'"
         target="_blank"
@@ -55,6 +55,11 @@ export default {
     }
   },
   methods: {
+    sanitizeHref (href) {
+      if (href && href.trim().match(/^((?:https?:\/\/)|\/)/)) {
+        return href.replace(/javascript:/g, '')
+      }
+    },
     extractAttr (text, attr) {
       if (text.includes(attr)) {
         return text.split(attr).pop().split('"')[1]