Skip to content

Commit

Permalink
Merge pull request #163 from zooniverse/external-link-xss-fix
Browse files Browse the repository at this point in the history 
Add simple URL checks to the external link editor
  • Loading branch information
@mcbouslog
mcbouslog authored Dec 11, 2018
2 parents 201d49a + bd7411e commit 1083658
Showing 1 changed file with 16 additions and 5 deletions.
21 changes: 16 additions & 5 deletions src/modules/common/components/external-links-editor.jsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,15 @@ export default class ExternalLinksEditor extends React.Component {

handleInputChange(index, event) {
const urls = this.props.urls;
urls[index][event.target.name] = event.target.value;
const { name, type, value } = event.target;

let sanitisedValue = value;
if (type === 'url' && value.length > 4) {
const isURL = value.substring(0, 4) === 'http';
sanitisedValue = isURL ? value : '';
}

urls[index][name] = sanitisedValue;
this.props.onChange(urls);
}

Expand All @@ -50,18 +58,21 @@ export default class ExternalLinksEditor extends React.Component {
<tr key={link._key}>
<td>
<input
type="text"
name="label"
value={link.label}
onChange={this.handleInputChange.bind(this, index)}
required
type="text"
value={link.label}
/>
</td>
<td>
<input
type="text"
name="url"
value={link.url}
onChange={this.handleInputChange.bind(this, index)}
pattern="https?://.+"
required
type="url"
value={link.url}
/>
</td>
<td>
Expand Down

0 comments on commit 1083658

Please sign in to comment.