Skip to content

Commit

Permalink
fix: Ensure url is valid before opening to prevent XSS
Browse files Browse the repository at this point in the history
  • Loading branch information
scottlovegrove committed Jul 4, 2024
1 parent 20b6cae commit 3c7c1ad
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 3 deletions.
2 changes: 1 addition & 1 deletion package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion packages/ui-extensions-react/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@doist/ui-extensions-react",
"version": "12.0.0",
"version": "12.0.1",
"author": "Doist",
"license": "MIT",
"main": "dist/index.js",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,28 @@ export function registerMarkdownParser(markdownParser: (text: string) => string)
}
}

/**
* Protects against XSS attacks by validating the URL.
* @param url
* @returns
*/
function isValidUrl(url: string): boolean {
try {
// Parse the URL using the URL constructor
let parsedUrl = new URL(url);

// Check for allowed protocols
if (parsedUrl.protocol === "http:" || parsedUrl.protocol === "https:") {
return true;
} else {
return false;
}
} catch (e) {
// If URL constructor throws an error, it's an invalid URL
return false;
}
}

/**
* To support markdown, register a markdown parser via `registerMarkdownParser`
* @see registerMarkdownParser
Expand Down Expand Up @@ -97,7 +119,7 @@ export function AdaptiveCardRenderer({
try {
const inputs = adaptiveCard.getAllInputs()
const inputsObject = getInputObject(inputs)
if (action instanceof OpenUrlAction && action.url) {
if (action instanceof OpenUrlAction && action.url && isValidUrl(action.url)) {
window.open(action.url, '_blank')
} else if (action instanceof ClipboardAction && action.text) {
clipboardHandler(action.text)
Expand Down

0 comments on commit 3c7c1ad

Please sign in to comment.