mirror of
https://github.com/RetroShare/RetroShare.git
synced 2025-01-25 14:56:28 -05:00
webui: allow only whitelisted link protocols to prevent javascript in links
This commit is contained in:
parent
ff9bf71aa8
commit
d94124a18b
@ -332,9 +332,19 @@ void ChatHandler::tick()
|
||||
if( current_link.first != -1
|
||||
&& last_six_chars.size() >= a.size()
|
||||
&& last_six_chars.substr(last_six_chars.size()-a.size()) == a)
|
||||
{
|
||||
// only allow these protocols
|
||||
// we don't want for example javascript:alert(0)
|
||||
std::string http = "http://";
|
||||
std::string https = "https://";
|
||||
std::string retroshare = "retroshare://";
|
||||
if( out.substr(current_link.first, http.size()) == http
|
||||
|| out.substr(current_link.first, https.size()) == https
|
||||
|| out.substr(current_link.first, retroshare.size()) == retroshare)
|
||||
{
|
||||
current_link.third = out.size();
|
||||
links.push_back(current_link);
|
||||
}
|
||||
current_link = Triple();
|
||||
}
|
||||
}
|
||||
|
@ -1386,11 +1386,26 @@ var LinkWidget = React.createClass({
|
||||
},
|
||||
render: function(){
|
||||
var c = this;
|
||||
// setting href={something} is unsafe!
|
||||
// only allow known link types
|
||||
// we don't want javascript:alert(0) in a link
|
||||
var http = "http://";
|
||||
var https = "https://";
|
||||
var retroshare = "retroshare://";
|
||||
if(this.props.url.substr(0, http.length) === http
|
||||
|| this.props.url.substr(0, https.lenth) === https
|
||||
|| this.props.url.substr(0, retroshare.length) === retroshare)
|
||||
{
|
||||
if(this.state.expanded){
|
||||
return <div>Really follow this link? <a href={this.props.url}>{this.props.url}</a> <div onClick={function(){c.setState({expanded: false});}}>close</div></div>;
|
||||
return <div>Really follow this link? <a href={this.props.url}>{this.props.url}</a> <span onClick={function(){c.setState({expanded: false});}}> close</span></div>;
|
||||
}
|
||||
else{
|
||||
return <a onClick={function(e){c.setState({expanded: true});e.stopPropagation();}} href={this.props.url}>{this.props.label}</a>;
|
||||
return <a onClick={function(e){c.setState({expanded: true});e.preventDefault();}} href={this.props.url}>{this.props.label}</a>;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
return <a>{"[unsafe link type detected: \""+this.props.url+"\"] "+this.props.label}</a>;
|
||||
}
|
||||
},
|
||||
});
|
||||
|
@ -1386,11 +1386,26 @@ var LinkWidget = React.createClass({
|
||||
},
|
||||
render: function(){
|
||||
var c = this;
|
||||
// setting href={something} is unsafe!
|
||||
// only allow known link types
|
||||
// we don't want javascript:alert(0) in a link
|
||||
var http = "http://";
|
||||
var https = "https://";
|
||||
var retroshare = "retroshare://";
|
||||
if(this.props.url.substr(0, http.length) === http
|
||||
|| this.props.url.substr(0, https.lenth) === https
|
||||
|| this.props.url.substr(0, retroshare.length) === retroshare)
|
||||
{
|
||||
if(this.state.expanded){
|
||||
return <div>Really follow this link? <a href={this.props.url}>{this.props.url}</a> <div onClick={function(){c.setState({expanded: false});}}>close</div></div>;
|
||||
return <div>Really follow this link? <a href={this.props.url}>{this.props.url}</a> <span onClick={function(){c.setState({expanded: false});}}> close</span></div>;
|
||||
}
|
||||
else{
|
||||
return <a onClick={function(e){c.setState({expanded: true});e.stopPropagation();}} href={this.props.url}>{this.props.label}</a>;
|
||||
return <a onClick={function(e){c.setState({expanded: true});e.preventDefault();}} href={this.props.url}>{this.props.label}</a>;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
return <a>{"[unsafe link type detected: \""+this.props.url+"\"] "+this.props.label}</a>;
|
||||
}
|
||||
},
|
||||
});
|
||||
|
Loading…
x
Reference in New Issue
Block a user