sanitize url

2 months ago · 8b9056894e
parent 7f979e9396
commit 8b9056894e
5 changed files with 14 additions and 13 deletions
--- a/app/javascript/submission_form/completed.vue
+++ b/app/javascript/submission_form/completed.vue
@ -25,7 +25,7 @@
    <div class="space-y-3 mt-5">
      <a
        v-if="completedButton.url"
-        :href="sanitizeHref(completedButton.url)"
+        :href="sanitizeUrl(completedButton.url)"
        rel="noopener noreferrer nofollow"
        class="white-button flex items-center w-full completed-form-completed-button"
      >
@ -102,6 +102,7 @@
 <script>
 import { IconCircleCheck, IconBrandGithub, IconMail, IconDownload, IconInnerShadowTop, IconLogin } from '@tabler/icons-vue'
 import MarkdownContent from './markdown_content'
+import { sanitizeUrl } from '@braintree/sanitize-url'

 export default {
  name: 'FormCompleted',
@ -198,6 +199,7 @@ export default {
    })
  },
  methods: {
+    sanitizeUrl,
    sendCopyToEmail () {
      this.isSendingCopy = true

@ -252,11 +254,6 @@ export default {
        this.isDownloading = false
      })
    },
-    sanitizeHref (href) {
-      if (href && href.trim().match(/^((?:https?:\/\/)|\/)/)) {
-        return href.replace(/javascript:/g, '')
-      }
-    },
    downloadSafariIos (urls) {
      const fileRequests = urls.map((url) => {
        return fetch(url).then(async (resp) => {
--- a/app/javascript/submission_form/form.vue
+++ b/app/javascript/submission_form/form.vue
@ -572,6 +572,7 @@ import FormCompleted from './completed'
 import { IconInnerShadowTop, IconArrowsDiagonal, IconWritingSign, IconArrowsDiagonalMinimize2 } from '@tabler/icons-vue'
 import AppearsOn from './appears_on'
 import i18n from './i18n'
+import { sanitizeUrl } from '@braintree/sanitize-url'

 const isEmpty = (obj) => {
  if (obj == null) return true
@ -1476,7 +1477,7 @@ export default {
      }

      if (this.completedRedirectUrl) {
-        window.location.href = this.completedRedirectUrl
+        window.location.href = sanitizeUrl(this.completedRedirectUrl)
      }
    }
  }
--- a/app/javascript/submission_form/markdown_content.vue
+++ b/app/javascript/submission_form/markdown_content.vue
@ -6,7 +6,7 @@
    >
      <a
        v-if="item.startsWith('<a') && item.endsWith('</a>')"
-        :href="sanitizeHref(extractAttr(item, 'href'))"
+        :href="sanitizeUrl(extractAttr(item, 'href'))"
        rel="noopener noreferrer nofollow"
        :class="extractAttr(item, 'class') || 'link'"
        target="_blank"
@ -37,6 +37,7 @@

 <script>
 import snarkdown from 'snarkdown'
+import { sanitizeUrl } from '@braintree/sanitize-url'

 const htmlSplitRegexp = /(<a.+?<\/a>|<i>.+?<\/i>|<b>.+?<\/b>|<em>.+?<\/em>|<strong>.+?<\/strong>|<br>)/

@ -65,11 +66,7 @@ export default {
    }
  },
  methods: {
-    sanitizeHref (href) {
-      if (href && href.trim().match(/^((?:https?:\/\/)|\/)/)) {
-        return href.replace(/javascript:/g, '')
-      }
-    },
+    sanitizeUrl,
    extractAttr (text, attr) {
      if (text.includes(attr)) {
        return text.split(attr).pop().split('"')[1]
--- a/package.json
+++ b/package.json
@ -6,6 +6,7 @@
    "@babel/plugin-transform-runtime": "7.21.4",
    "@babel/preset-env": "7.21.5",
    "@babel/runtime": "7.21.5",
+    "@braintree/sanitize-url": "^7.1.1",
    "@codemirror/lang-html": "^6.4.9",
    "@eid-easy/eideasy-widget": "^2.163.4",
    "@github/catalyst": "^2.0.0-beta",
--- a/yarn.lock
+++ b/yarn.lock
@ -1030,6 +1030,11 @@
    "@babel/helper-string-parser" "^7.25.9"
    "@babel/helper-validator-identifier" "^7.25.9"

+"@braintree/sanitize-url@^7.1.1":
+  version "7.1.1"
+  resolved "https://registry.yarnpkg.com/@braintree/sanitize-url/-/sanitize-url-7.1.1.tgz#15e19737d946559289b915e5dad3b4c28407735e"
+  integrity sha512-i1L7noDNxtFyL5DmZafWy1wRVhGehQmzZaz1HiN5e7iylJMSZR7ekOV7NsIqa5qBldlLrsKv4HbgFUVlQrz8Mw==
+
 "@codemirror/autocomplete@^6.0.0":
  version "6.18.6"
  resolved "https://registry.yarnpkg.com/@codemirror/autocomplete/-/autocomplete-6.18.6.tgz#de26e864a1ec8192a1b241eb86addbb612964ddb"