Git-Mirrors/RetroShare
1
0
Fork 0
mirror of https://github.com/RetroShare/RetroShare.git synced 2025-01-26 15:28:28 -05:00
Code Issues Actions Packages Projects Releases Wiki Activity

webui: allow only whitelisted link protocols to prevent javascript in links

Browse Source
This commit is contained in:
electron128 2015-07-30 20:05:54 +02:00 committed by cave beat
parent ff9bf71aa8
commit d94124a18b
3 changed files with 54 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
libresapi/src/api/ChatHandler.cpp
View File

@ -332,9 +332,19 @@ void ChatHandler::tick()
if( current_link.first != -1 if( current_link.first != -1
&& last_six_chars.size() >= a.size() && last_six_chars.size() >= a.size()
&& last_six_chars.substr(last_six_chars.size()-a.size()) == a) && last_six_chars.substr(last_six_chars.size()-a.size()) == a)
{
// only allow these protocols
// we don't want for example javascript:alert(0)
std::string http = "http://";
std::string https = "https://";
std::string retroshare = "retroshare://";
if( out.substr(current_link.first, http.size()) == http
|| out.substr(current_link.first, https.size()) == https
|| out.substr(current_link.first, retroshare.size()) == retroshare)
{ {
current_link.third = out.size(); current_link.third = out.size();
links.push_back(current_link); links.push_back(current_link);
}
current_link = Triple(); current_link = Triple();
} }
} }

19
libresapi/src/webfiles/gui.jsx
View File

@ -1386,11 +1386,26 @@ var LinkWidget = React.createClass({
}, },
render: function(){ render: function(){
var c = this; var c = this;
// setting href={something} is unsafe!
// only allow known link types
// we don't want javascript:alert(0) in a link
var http = "http://";
var https = "https://";
var retroshare = "retroshare://";
if(this.props.url.substr(0, http.length) === http
|| this.props.url.substr(0, https.lenth) === https
|| this.props.url.substr(0, retroshare.length) === retroshare)
{
if(this.state.expanded){ if(this.state.expanded){
return <div>Really follow this link? <a href={this.props.url}>{this.props.url}</a> <div onClick={function(){c.setState({expanded: false});}}>close</div></div>; return <div>Really follow this link? <a href={this.props.url}>{this.props.url}</a> <span onClick={function(){c.setState({expanded: false});}}> close</span></div>;
} }
else{ else{
return <a onClick={function(e){c.setState({expanded: true});e.stopPropagation();}} href={this.props.url}>{this.props.label}</a>; return <a onClick={function(e){c.setState({expanded: true});e.preventDefault();}} href={this.props.url}>{this.props.label}</a>;
}
}
else
{
return <a>{"[unsafe link type detected: \""+this.props.url+"\"] "+this.props.label}</a>;
} }
}, },
}); });

19
libresapi/src/webui/gui.jsx
View File

@ -1386,11 +1386,26 @@ var LinkWidget = React.createClass({
}, },
render: function(){ render: function(){
var c = this; var c = this;
// setting href={something} is unsafe!
// only allow known link types
// we don't want javascript:alert(0) in a link
var http = "http://";
var https = "https://";
var retroshare = "retroshare://";
if(this.props.url.substr(0, http.length) === http
|| this.props.url.substr(0, https.lenth) === https
|| this.props.url.substr(0, retroshare.length) === retroshare)
{
if(this.state.expanded){ if(this.state.expanded){
return <div>Really follow this link? <a href={this.props.url}>{this.props.url}</a> <div onClick={function(){c.setState({expanded: false});}}>close</div></div>; return <div>Really follow this link? <a href={this.props.url}>{this.props.url}</a> <span onClick={function(){c.setState({expanded: false});}}> close</span></div>;
} }
else{ else{
return <a onClick={function(e){c.setState({expanded: true});e.stopPropagation();}} href={this.props.url}>{this.props.label}</a>; return <a onClick={function(e){c.setState({expanded: true});e.preventDefault();}} href={this.props.url}>{this.props.label}</a>;
}
}
else
{
return <a>{"[unsafe link type detected: \""+this.props.url+"\"] "+this.props.label}</a>;
} }
}, },
}); });