sanitize href

app/javascript/submission_form/completed.vue

@@ -16,7 +16,8 @@
     <div class="space-y-3 mt-5">
       <a
         v-if="completedButton.url"
-        :href="completedButton.url"
+        :href="sanitizeHref(completedButton.url)"
+        rel="noopener noreferrer nofollow"
         class="white-button flex items-center w-full"
       >
         <span>
@@ -215,6 +216,11 @@ export default {
 
       this.isDownloading = false
     },
+    sanitizeHref (href) {
+      if (href && href.trim().match(/^((?:https?:\/\/)|\/)/)) {
+        return href.replace(/javascript:/g, '')
+      }
+    },
     downloadSafariIos (urls) {
       const fileRequests = urls.map((url) => {
         return fetch(url).then(async (resp) => {

app/javascript/submission_form/markdown_content.vue

@@ -6,7 +6,7 @@
     >
       <a
         v-if="item.startsWith('<a') && item.endsWith('</a>')"
-        :href="extractAttr(item, 'href')"
+        :href="sanitizeHref(extractAttr(item, 'href'))"
         rel="noopener noreferrer nofollow"
         :class="extractAttr(item, 'class') || 'link'"
         target="_blank"
@@ -55,6 +55,11 @@ export default {
     }
   },
   methods: {
+    sanitizeHref (href) {
+      if (href && href.trim().match(/^((?:https?:\/\/)|\/)/)) {
+        return href.replace(/javascript:/g, '')
+      }
+    },
     extractAttr (text, attr) {
       if (text.includes(attr)) {
         return text.split(attr).pop().split('"')[1]