Split the logic so that each tag is handled explicitly on it's own
if-else branch, which is now safer to do as we default to
allow-only-http-like.
Also address a recently introduced regression from the implementation
of the #4756 where any user that could edit notes could use
javascript: script-urls for XSS purpose to prepare a link that could
leak private user information when another user clicked on it, at
least if they omitted basic sanity checks by looking at the URL
displayed by the browser before.
We have to override a false-positive triggered by a eslint heuristic,
a simple string compression should be always safe.
Fixes: 5cbbb9c ("fix #4756: markdown notes: allow any valid URL for a tags")
Reported-by: Hieu Dang Cong <HieuDC5@fpt.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
try {
let url = new URL(value, window.location.origin);
safeURL = _isHTTPLike(url.protocol);
- if (
- canonicalTagName === 'a' ||
- (canonicalTagName === 'img' && url.protocol.toLowerCase() === 'data:')
- ) {
+ if (canonicalTagName === 'img' && url.protocol.toLowerCase() === 'data:') {
safeURL = true;
+ } else if (canonicalTagName === 'a') {
+ // allow most link protocols so admins can use short-cuts to, e.g., RDP
+ safeURL = url.protocol.toLowerCase() !== 'javascript:'; // eslint-disable-line no-script-url
}
if (safeURL) {
node.attributes[i].value = url.href;