adminbruno
/
docuseal
mirror of https://github.com/docusealco/docuseal
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

sanitize url

Browse Source
pull/381/merge
Pete Matsyburka 2 months ago
parent 7f979e9396
commit 8b9056894e
5 changed files with 14 additions and 13 deletions
Show Stats Download Patch File Download Diff File

9
app/javascript/submission_form/completed.vue
Unescape View File

@ -25,7 +25,7 @@
<div class="space-y-3 mt-5"> <div class="space-y-3 mt-5">
<a <a
v-if="completedButton.url" v-if="completedButton.url"
:href="sanitizeHref(completedButton.url)" :href="sanitizeUrl(completedButton.url)"
rel="noopener noreferrer nofollow" rel="noopener noreferrer nofollow"
class="white-button flex items-center w-full completed-form-completed-button" class="white-button flex items-center w-full completed-form-completed-button"
> >
@ -102,6 +102,7 @@
<script> <script>
import { IconCircleCheck, IconBrandGithub, IconMail, IconDownload, IconInnerShadowTop, IconLogin } from '@tabler/icons-vue' import { IconCircleCheck, IconBrandGithub, IconMail, IconDownload, IconInnerShadowTop, IconLogin } from '@tabler/icons-vue'
import MarkdownContent from './markdown_content' import MarkdownContent from './markdown_content'
import { sanitizeUrl } from '@braintree/sanitize-url'
export default { export default {
name: 'FormCompleted', name: 'FormCompleted',
@ -198,6 +199,7 @@ export default {
}) })
}, },
methods: { methods: {
sanitizeUrl,
sendCopyToEmail () { sendCopyToEmail () {
this.isSendingCopy = true this.isSendingCopy = true
@ -252,11 +254,6 @@ export default {
this.isDownloading = false this.isDownloading = false
}) })
}, },
sanitizeHref (href) {
if (href && href.trim().match(/^((?:https?:\/\/)|\/)/)) {
return href.replace(/javascript:/g, '')
}
},
downloadSafariIos (urls) { downloadSafariIos (urls) {
const fileRequests = urls.map((url) => { const fileRequests = urls.map((url) => {
return fetch(url).then(async (resp) => { return fetch(url).then(async (resp) => {

3
app/javascript/submission_form/form.vue
Unescape View File

@ -572,6 +572,7 @@ import FormCompleted from './completed'
import { IconInnerShadowTop, IconArrowsDiagonal, IconWritingSign, IconArrowsDiagonalMinimize2 } from '@tabler/icons-vue' import { IconInnerShadowTop, IconArrowsDiagonal, IconWritingSign, IconArrowsDiagonalMinimize2 } from '@tabler/icons-vue'
import AppearsOn from './appears_on' import AppearsOn from './appears_on'
import i18n from './i18n' import i18n from './i18n'
import { sanitizeUrl } from '@braintree/sanitize-url'
const isEmpty = (obj) => { const isEmpty = (obj) => {
if (obj == null) return true if (obj == null) return true
@ -1476,7 +1477,7 @@ export default {
} }
if (this.completedRedirectUrl) { if (this.completedRedirectUrl) {
window.location.href = this.completedRedirectUrl window.location.href = sanitizeUrl(this.completedRedirectUrl)
} }
} }
} }

9
app/javascript/submission_form/markdown_content.vue
Unescape View File

@ -6,7 +6,7 @@
> >
<a <a
v-if="item.startsWith('<a') && item.endsWith('</a>')" v-if="item.startsWith('<a') && item.endsWith('</a>')"
:href="sanitizeHref(extractAttr(item, 'href'))" :href="sanitizeUrl(extractAttr(item, 'href'))"
rel="noopener noreferrer nofollow" rel="noopener noreferrer nofollow"
:class="extractAttr(item, 'class') || 'link'" :class="extractAttr(item, 'class') || 'link'"
target="_blank" target="_blank"
@ -37,6 +37,7 @@
<script> <script>
import snarkdown from 'snarkdown' import snarkdown from 'snarkdown'
import { sanitizeUrl } from '@braintree/sanitize-url'
const htmlSplitRegexp = /(<a.+?<\/a>|<i>.+?<\/i>|<b>.+?<\/b>|<em>.+?<\/em>|<strong>.+?<\/strong>|<br>)/ const htmlSplitRegexp = /(<a.+?<\/a>|<i>.+?<\/i>|<b>.+?<\/b>|<em>.+?<\/em>|<strong>.+?<\/strong>|<br>)/
@ -65,11 +66,7 @@ export default {
} }
}, },
methods: { methods: {
sanitizeHref (href) { sanitizeUrl,
if (href && href.trim().match(/^((?:https?:\/\/)|\/)/)) {
return href.replace(/javascript:/g, '')
}
},
extractAttr (text, attr) { extractAttr (text, attr) {
if (text.includes(attr)) { if (text.includes(attr)) {
return text.split(attr).pop().split('"')[1] return text.split(attr).pop().split('"')[1]

1
package.json
Unescape View File

@ -6,6 +6,7 @@
"@babel/plugin-transform-runtime": "7.21.4", "@babel/plugin-transform-runtime": "7.21.4",
"@babel/preset-env": "7.21.5", "@babel/preset-env": "7.21.5",
"@babel/runtime": "7.21.5", "@babel/runtime": "7.21.5",
"@braintree/sanitize-url": "^7.1.1",
"@codemirror/lang-html": "^6.4.9", "@codemirror/lang-html": "^6.4.9",
"@eid-easy/eideasy-widget": "^2.163.4", "@eid-easy/eideasy-widget": "^2.163.4",
"@github/catalyst": "^2.0.0-beta", "@github/catalyst": "^2.0.0-beta",

5
yarn.lock
Unescape View File

@ -1030,6 +1030,11 @@
"@babel/helper-string-parser" "^7.25.9" "@babel/helper-string-parser" "^7.25.9"
"@babel/helper-validator-identifier" "^7.25.9" "@babel/helper-validator-identifier" "^7.25.9"
"@braintree/sanitize-url@^7.1.1":
version "7.1.1"
resolved "https://registry.yarnpkg.com/@braintree/sanitize-url/-/sanitize-url-7.1.1.tgz#15e19737d946559289b915e5dad3b4c28407735e"
integrity sha512-i1L7noDNxtFyL5DmZafWy1wRVhGehQmzZaz1HiN5e7iylJMSZR7ekOV7NsIqa5qBldlLrsKv4HbgFUVlQrz8Mw==
"@codemirror/autocomplete@^6.0.0": "@codemirror/autocomplete@^6.0.0":
version "6.18.6" version "6.18.6"
resolved "https://registry.yarnpkg.com/@codemirror/autocomplete/-/autocomplete-6.18.6.tgz#de26e864a1ec8192a1b241eb86addbb612964ddb" resolved "https://registry.yarnpkg.com/@codemirror/autocomplete/-/autocomplete-6.18.6.tgz#de26e864a1ec8192a1b241eb86addbb612964ddb"

Write Preview
Loading…
Cancel
Save