webui: allow only whitelisted link protocols to prevent javascript in links

This commit is contained in:
electron128 2015-07-30 20:05:54 +02:00 committed by cave beat
parent ff9bf71aa8
commit d94124a18b
3 changed files with 54 additions and 14 deletions

View File

@ -332,9 +332,19 @@ void ChatHandler::tick()
if( current_link.first != -1
&& last_six_chars.size() >= a.size()
&& last_six_chars.substr(last_six_chars.size()-a.size()) == a)
{
// only allow these protocols
// we don't want for example javascript:alert(0)
std::string http = "http://";
std::string https = "https://";
std::string retroshare = "retroshare://";
if( out.substr(current_link.first, http.size()) == http
|| out.substr(current_link.first, https.size()) == https
|| out.substr(current_link.first, retroshare.size()) == retroshare)
{
current_link.third = out.size();
links.push_back(current_link);
}
current_link = Triple();
}
}

View File

@ -1386,11 +1386,26 @@ var LinkWidget = React.createClass({
},
render: function(){
var c = this;
// setting href={something} is unsafe!
// only allow known link types
// we don't want javascript:alert(0) in a link
var http = "http://";
var https = "https://";
var retroshare = "retroshare://";
if(this.props.url.substr(0, http.length) === http
|| this.props.url.substr(0, https.lenth) === https
|| this.props.url.substr(0, retroshare.length) === retroshare)
{
if(this.state.expanded){
return <div>Really follow this link? <a href={this.props.url}>{this.props.url}</a> <div onClick={function(){c.setState({expanded: false});}}>close</div></div>;
return <div>Really follow this link? <a href={this.props.url}>{this.props.url}</a> <span onClick={function(){c.setState({expanded: false});}}> close</span></div>;
}
else{
return <a onClick={function(e){c.setState({expanded: true});e.stopPropagation();}} href={this.props.url}>{this.props.label}</a>;
return <a onClick={function(e){c.setState({expanded: true});e.preventDefault();}} href={this.props.url}>{this.props.label}</a>;
}
}
else
{
return <a>{"[unsafe link type detected: \""+this.props.url+"\"] "+this.props.label}</a>;
}
},
});

View File

@ -1386,11 +1386,26 @@ var LinkWidget = React.createClass({
},
render: function(){
var c = this;
// setting href={something} is unsafe!
// only allow known link types
// we don't want javascript:alert(0) in a link
var http = "http://";
var https = "https://";
var retroshare = "retroshare://";
if(this.props.url.substr(0, http.length) === http
|| this.props.url.substr(0, https.lenth) === https
|| this.props.url.substr(0, retroshare.length) === retroshare)
{
if(this.state.expanded){
return <div>Really follow this link? <a href={this.props.url}>{this.props.url}</a> <div onClick={function(){c.setState({expanded: false});}}>close</div></div>;
return <div>Really follow this link? <a href={this.props.url}>{this.props.url}</a> <span onClick={function(){c.setState({expanded: false});}}> close</span></div>;
}
else{
return <a onClick={function(e){c.setState({expanded: true});e.stopPropagation();}} href={this.props.url}>{this.props.label}</a>;
return <a onClick={function(e){c.setState({expanded: true});e.preventDefault();}} href={this.props.url}>{this.props.label}</a>;
}
}
else
{
return <a>{"[unsafe link type detected: \""+this.props.url+"\"] "+this.props.label}</a>;
}
},
});