From 17a29dcd329fc9b999df2beee99c0269ece03411 Mon Sep 17 00:00:00 2001 From: Irina Kuzmina Date: Wed, 22 Jan 2025 16:56:12 +0300 Subject: [PATCH 1/2] Validate url schema --- src/ui/components/Markup/Markup.tsx | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/ui/components/Markup/Markup.tsx b/src/ui/components/Markup/Markup.tsx index c5b20fcfa4..c9effc5d35 100644 --- a/src/ui/components/Markup/Markup.tsx +++ b/src/ui/components/Markup/Markup.tsx @@ -5,6 +5,7 @@ import merge from 'lodash/merge'; import type {MarkupItem, MarkupItemType} from '../../../shared'; import {MarkupItemTypes, isMarkupItem, markupToRawString} from '../../../shared'; +import {validateUrl} from '../../libs/DatalensChartkit/modules/html-generator/utils'; import {UserInfo} from './components/UserInfo/UserInfo'; import {isNumericCSSValueValid} from './utils'; @@ -97,10 +98,12 @@ const getConfig = ( break; } case MarkupItemTypes.Url: { + const href = markupItem.url || ''; + validateUrl(href); iteratedConfigItem.element = Link as TemplateItem['element']; iteratedConfigItem.props = merge(iteratedConfigItem.props, { view: 'normal', - href: markupItem.url || '', + href, target: '_blank', }); break; From e4057f57f5c2013e74e07cc5e3c6d28f5cfda66d Mon Sep 17 00:00:00 2001 From: Irina Kuzmina Date: Wed, 22 Jan 2025 19:40:49 +0300 Subject: [PATCH 2/2] fix --- src/ui/components/Markup/Markup.tsx | 5 ++--- .../DatalensChartkit/ChartKit/helpers/apply-hc-handlers.ts | 6 +++--- .../modules/data-provider/charts/ui-sandbox.ts | 7 ++++--- .../libs/DatalensChartkit/modules/html-generator/utils.ts | 4 +++- 4 files changed, 12 insertions(+), 10 deletions(-) diff --git a/src/ui/components/Markup/Markup.tsx b/src/ui/components/Markup/Markup.tsx index c9effc5d35..6c26cb2b9c 100644 --- a/src/ui/components/Markup/Markup.tsx +++ b/src/ui/components/Markup/Markup.tsx @@ -1,11 +1,11 @@ import React from 'react'; +import {sanitizeUrl} from '@braintree/sanitize-url'; import {Link} from '@gravity-ui/uikit'; import merge from 'lodash/merge'; import type {MarkupItem, MarkupItemType} from '../../../shared'; import {MarkupItemTypes, isMarkupItem, markupToRawString} from '../../../shared'; -import {validateUrl} from '../../libs/DatalensChartkit/modules/html-generator/utils'; import {UserInfo} from './components/UserInfo/UserInfo'; import {isNumericCSSValueValid} from './utils'; @@ -98,8 +98,7 @@ const getConfig = ( break; } case MarkupItemTypes.Url: { - const href = markupItem.url || ''; - validateUrl(href); + const href = sanitizeUrl(markupItem.url || ''); iteratedConfigItem.element = Link as TemplateItem['element']; iteratedConfigItem.props = merge(iteratedConfigItem.props, { view: 'normal', diff --git a/src/ui/libs/DatalensChartkit/ChartKit/helpers/apply-hc-handlers.ts b/src/ui/libs/DatalensChartkit/ChartKit/helpers/apply-hc-handlers.ts index dea90c8e79..25fa116d02 100644 --- a/src/ui/libs/DatalensChartkit/ChartKit/helpers/apply-hc-handlers.ts +++ b/src/ui/libs/DatalensChartkit/ChartKit/helpers/apply-hc-handlers.ts @@ -1,3 +1,4 @@ +import {sanitizeUrl} from '@braintree/sanitize-url'; import type {Highcharts} from '@gravity-ui/chartkit/highcharts'; import {pickActionParamsFromParams} from '@gravity-ui/dashkit/helpers'; import {wrap} from 'highcharts'; @@ -7,7 +8,6 @@ import merge from 'lodash/merge'; import set from 'lodash/set'; import type {GoToEventHandler, GraphWidgetEventScope} from '../../../../../shared'; -import {validateUrl} from '../../modules/html-generator/utils'; import type {GraphWidget} from '../../types'; import type {ChartKitAdapterProps} from '../types'; @@ -167,8 +167,8 @@ function handleSeriesClickForGoTo(args: { } try { - validateUrl(pointUrl); - window.open(pointUrl, target === '_self' ? '_self' : '_blank'); + const url = sanitizeUrl(pointUrl); + window.open(url, target === '_self' ? '_self' : '_blank'); } catch (e) { console.error(e); } diff --git a/src/ui/libs/DatalensChartkit/modules/data-provider/charts/ui-sandbox.ts b/src/ui/libs/DatalensChartkit/modules/data-provider/charts/ui-sandbox.ts index 3dff7db434..03ef577787 100644 --- a/src/ui/libs/DatalensChartkit/modules/data-provider/charts/ui-sandbox.ts +++ b/src/ui/libs/DatalensChartkit/modules/data-provider/charts/ui-sandbox.ts @@ -1,3 +1,4 @@ +import {sanitizeUrl} from '@braintree/sanitize-url'; import type {PointOptionsType} from 'highcharts'; import escape from 'lodash/escape'; import get from 'lodash/get'; @@ -19,7 +20,7 @@ import { import Performance from '../../../ChartKit/modules/perfomance'; import type {UiSandboxRuntimeOptions} from '../../../types'; import {generateHtml} from '../../html-generator'; -import {getParseHtmlFn, validateUrl} from '../../html-generator/utils'; +import {getParseHtmlFn} from '../../html-generator/utils'; import {UiSandboxRuntime} from './ui-sandbox-runtime'; @@ -243,8 +244,8 @@ async function getUnwrappedFunction(args: { window: { open: function (url: string, target?: string) { try { - validateUrl(url); - window.open(url, target === '_self' ? '_self' : '_blank'); + const href = sanitizeUrl(url); + window.open(href, target === '_self' ? '_self' : '_blank'); } catch (e) { console.error(e); } diff --git a/src/ui/libs/DatalensChartkit/modules/html-generator/utils.ts b/src/ui/libs/DatalensChartkit/modules/html-generator/utils.ts index 9f66ca6a2d..6c2136213d 100644 --- a/src/ui/libs/DatalensChartkit/modules/html-generator/utils.ts +++ b/src/ui/libs/DatalensChartkit/modules/html-generator/utils.ts @@ -1,3 +1,4 @@ +import {sanitizeUrl} from '@braintree/sanitize-url'; import escape from 'lodash/escape'; import isObject from 'lodash/isObject'; import type {ChartKitHtmlItem} from 'shared'; @@ -7,7 +8,8 @@ import {ChartKitCustomError} from '../../ChartKit/modules/chartkit-custom-error/ import {ALLOWED_REFERENCES, ATTR_DATA_CE_THEME, THEME_CSS_VARIABLE_PREFIX} from './constants'; export function validateUrl(url: string, errorMsg?: string) { - if (!ALLOWED_REFERENCES.some((ref) => String(url).startsWith(ref))) { + const href = sanitizeUrl(url); + if (!ALLOWED_REFERENCES.some((ref) => href.startsWith(ref))) { const msg = errorMsg ?? `'${url}' is not valid url`; throw new ChartKitCustomError(undefined, { message: msg,