-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validate URL to prevent XSS #727
base: master
Are you sure you want to change the base?
Conversation
const isJavaScriptProtocol = /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i | ||
if (isJavaScriptProtocol.test(link) && !allowJavaScriptUrls) { | ||
console.warn(`Header has blocked a javascript: URL as a security precaution`); | ||
return null; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Codacy has a fix for the issue: Replace ··
with ····);⏎
return null; | |
); |
@@ -26,7 +26,12 @@ const StyledHeader = styled(Box)` | |||
`} | |||
`; | |||
|
|||
const Header = ({ link, logo, children, ...props }) => { | |||
const Header = ({ link, logo, children, allowJavaScriptUrls = True, ...props }) => { | |||
const isJavaScriptProtocol = /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Codacy has a fix for the issue: Unnecessary escape character: :.
const isJavaScriptProtocol = /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i | |
const isJavaScriptProtocol = /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*:/i |
const isJavaScriptProtocol = /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i | ||
if (isJavaScriptProtocol.test(link) && !allowJavaScriptUrls) { | ||
console.warn(`Header has blocked a javascript: URL as a security precaution`); | ||
return null; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Codacy has a fix for the issue: Replace ··
with ····);⏎
return null; | |
); |
@@ -26,7 +26,12 @@ const StyledHeader = styled(Box)` | |||
`} | |||
`; | |||
|
|||
const Header = ({ link, logo, children, ...props }) => { | |||
const Header = ({ link, logo, children, allowJavaScriptUrls = True, ...props }) => { | |||
const isJavaScriptProtocol = /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Codacy has a fix for the issue: Unnecessary escape character: :.
const isJavaScriptProtocol = /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i | |
const isJavaScriptProtocol = /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*:/i |
const Header = ({ link, logo, children, allowJavaScriptUrls = True, ...props }) => { | ||
const isJavaScriptProtocol = /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i | ||
if (isJavaScriptProtocol.test(link) && !allowJavaScriptUrls) { | ||
console.warn(`Header has blocked a javascript: URL as a security precaution`); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Codacy has a fix for the issue: Replace ··console.warn(
Header·has·blocked·a·javascript:·URL·as·a·security·precaution);
with console.warn(⏎······
Header·has·blocked·a·javascript:·URL·as·a·security·precaution,
console.warn(`Header has blocked a javascript: URL as a security precaution`); | |
console.warn( |
const Header = ({ link, logo, children, ...props }) => { | ||
const Header = ({ link, logo, children, allowJavaScriptUrls = True, ...props }) => { | ||
const isJavaScriptProtocol = /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i | ||
if (isJavaScriptProtocol.test(link) && !allowJavaScriptUrls) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Codacy has a fix for the issue: Replace ····
with ··
if (isJavaScriptProtocol.test(link) && !allowJavaScriptUrls) { | |
if (isJavaScriptProtocol.test(link) && !allowJavaScriptUrls) { |
@@ -26,7 +26,12 @@ const StyledHeader = styled(Box)` | |||
`} | |||
`; | |||
|
|||
const Header = ({ link, logo, children, ...props }) => { | |||
const Header = ({ link, logo, children, allowJavaScriptUrls = True, ...props }) => { | |||
const isJavaScriptProtocol = /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Codacy has a fix for the issue: Replace ·/^[\u0000-\u001F·]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i
with ⏎····/^[\u0000-\u001F·]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i;
const isJavaScriptProtocol = /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i | |
const isJavaScriptProtocol = |
const Header = ({ link, logo, children, ...props }) => { | ||
const Header = ({ link, logo, children, allowJavaScriptUrls = True, ...props }) => { | ||
const isJavaScriptProtocol = /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i | ||
if (isJavaScriptProtocol.test(link) && !allowJavaScriptUrls) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Codacy has a fix for the issue: Replace ····
with ··
if (isJavaScriptProtocol.test(link) && !allowJavaScriptUrls) { | |
if (isJavaScriptProtocol.test(link) && !allowJavaScriptUrls) { |
const Header = ({ link, logo, children, allowJavaScriptUrls = True, ...props }) => { | ||
const isJavaScriptProtocol = /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i | ||
if (isJavaScriptProtocol.test(link) && !allowJavaScriptUrls) { | ||
console.warn(`Header has blocked a javascript: URL as a security precaution`); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Codacy has a fix for the issue: Unexpected console statement.
console.warn(`Header has blocked a javascript: URL as a security precaution`); | |
@@ -26,7 +26,12 @@ const StyledHeader = styled(Box)` | |||
`} | |||
`; | |||
|
|||
const Header = ({ link, logo, children, ...props }) => { | |||
const Header = ({ link, logo, children, allowJavaScriptUrls = True, ...props }) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Codacy has a fix for the issue: Replace ·link,·logo,·children,·allowJavaScriptUrls·=·True,·...props·
with ⏎··link,⏎··logo,⏎··children,⏎··allowJavaScriptUrls·=·True,⏎··...props⏎
const Header = ({ link, logo, children, allowJavaScriptUrls = True, ...props }) => { | |
const Header = ({ |
const Header = ({ link, logo, children, allowJavaScriptUrls = True, ...props }) => { | ||
const isJavaScriptProtocol = /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i | ||
if (isJavaScriptProtocol.test(link) && !allowJavaScriptUrls) { | ||
console.warn(`Header has blocked a javascript: URL as a security precaution`); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Codacy has a fix for the issue: Replace ··console.warn(
Header·has·blocked·a·javascript:·URL·as·a·security·precaution);
with console.warn(⏎······
Header·has·blocked·a·javascript:·URL·as·a·security·precaution,
console.warn(`Header has blocked a javascript: URL as a security precaution`); | |
console.warn( |
@@ -26,7 +26,12 @@ const StyledHeader = styled(Box)` | |||
`} | |||
`; | |||
|
|||
const Header = ({ link, logo, children, ...props }) => { | |||
const Header = ({ link, logo, children, allowJavaScriptUrls = True, ...props }) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Codacy has a fix for the issue: Replace ·link,·logo,·children,·allowJavaScriptUrls·=·True,·...props·
with ⏎··link,⏎··logo,⏎··children,⏎··allowJavaScriptUrls·=·True,⏎··...props⏎
const Header = ({ link, logo, children, allowJavaScriptUrls = True, ...props }) => { | |
const Header = ({ |
@@ -26,7 +26,12 @@ const StyledHeader = styled(Box)` | |||
`} | |||
`; | |||
|
|||
const Header = ({ link, logo, children, ...props }) => { | |||
const Header = ({ link, logo, children, allowJavaScriptUrls = True, ...props }) => { | |||
const isJavaScriptProtocol = /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Codacy has a fix for the issue: Replace ·/^[\u0000-\u001F·]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i
with ⏎····/^[\u0000-\u001F·]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i;
const isJavaScriptProtocol = /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i | |
const isJavaScriptProtocol = |
Fix for Cross-Site Scripting (XSS) Vulnerability
I've identified a Cross-Site Scripting (XSS) vulnerability in this package.
Vulnerability Details:
Steps to Reproduce:
In a React.js project:
When a user clicks the link, the malicious code alert(1) will be executed.
Suggested Fix or Mitigation:
It is best practice for a React.js components package to sanitize the href attribute before passing it to an tag. React.js itself, along with many popular libraries such as react-router-dom and Next.js, also ensures the safety of href attributes. For instance, React.js issues warnings about URLs starting with javascript: and is planning to block these in future versions, as indicated in this pull request.
I've already fixed and tested this issue, and have submitted a pull request with the necessary changes. Please review and merge my pull request to resolve this vulnerability. Thanks!