Git-Mirrors/RetroShare
1
0
Fork 0
mirror of https://github.com/RetroShare/RetroShare.git synced 2025-08-05 21:04:14 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

webui: allow only whitelisted link protocols to prevent javascript in links

Browse source
This commit is contained in:
electron128 2015-07-30 20:05:54 +02:00 committed by cave beat
parent ff9bf71aa8
commit d94124a18b
3 changed files with 54 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

27
libresapi/src/webui/gui.jsx
View file

@ -1386,12 +1386,27 @@ var LinkWidget = React.createClass({
},
render: function(){
var c = this;
if(this.state.expanded){
return <div>Really follow this link? <a href={this.props.url}>{this.props.url}</a> <div onClick={function(){c.setState({expanded: false});}}>close</div></div>;
}
else{
return <a onClick={function(e){c.setState({expanded: true});e.stopPropagation();}} href={this.props.url}>{this.props.label}</a>;
}
// setting href={something} is unsafe!
// only allow known link types
// we don't want javascript:alert(0) in a link
var http = "http://";
var https = "https://";
var retroshare = "retroshare://";
if(this.props.url.substr(0, http.length) === http
|| this.props.url.substr(0, https.lenth) === https
|| this.props.url.substr(0, retroshare.length) === retroshare)
{
if(this.state.expanded){
return <div>Really follow this link? <a href={this.props.url}>{this.props.url}</a> <span onClick={function(){c.setState({expanded: false});}}> close</span></div>;
}
else{
return <a onClick={function(e){c.setState({expanded: true});e.preventDefault();}} href={this.props.url}>{this.props.label}</a>;
}
}
else
{
return <a>{"[unsafe link type detected: \""+this.props.url+"\"] "+this.props.label}</a>;
}
},
});