konevsa/proxmox-widget-toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

parser: use safer mechanism for allowing URLs

Browse Source 
Having a default-remove boolean flag is making it easier to get this
right and decouple the if-branches that check if something is OK
(which may get more complex in the future) from the actual handling of
the result by always removing the href attribute if not explicitly
told otherwise.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Thomas Lamprecht 2023-10-03 08:37:34 +02:00
parent ade0e572d2
commit e21d3a40ad
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/Parser.js
View File

@ -31,6 +31,7 @@ Ext.define('Proxmox.Markdown', {
) {
node.attributes.removeNamedItem(name);
} else if ((name === 'href' || name === 'src') && !_isHTTPLike(value)) {
let safeURL = false;
try {
let url = new URL(value, window.location.origin);
if (
@ -38,6 +39,9 @@ Ext.define('Proxmox.Markdown', {
canonicalTagName === 'a' ||
(canonicalTagName === 'img' && url.protocol.toLowerCase() === 'data:')
) {
safeURL = true;
}
if (safeURL) {
node.attributes[i].value = url.href;
} else {
node.attributes.removeNamedItem(name);