mirrors/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2025-05-13 22:54:42 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Disallow data and javascript URIs (#1186)

Browse source 
* Disallow data and javascript URIs

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This commit is contained in:
Erik Michelson 2021-04-11 22:48:31 +02:00 committed by GitHub
parent 031e37325c
commit 7a21a26166
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 100 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/components/markdown-renderer/replace-components/link-replacer/link-replacer.tsx
View file

@ -25,7 +25,13 @@ export class LinkReplacer extends ComponentReplacer {
return undefined
}
const url = node.attribs.href
const url = node.attribs.href.trim()
// eslint-disable-next-line no-script-url
if (url.startsWith('data:') || url.startsWith('javascript:')) {
return <span>{ node.attribs.href }</span>
}
const isJumpMark = url.substr(0, 1) === '#'
const id = url.substr(1)