Skip to content

Commit

Permalink
Fix XSS in examples
Browse files Browse the repository at this point in the history
  • Loading branch information
12joan committed Jul 30, 2024
1 parent 6548197 commit 49b11a8
Show file tree
Hide file tree
Showing 3 changed files with 56 additions and 4 deletions.
17 changes: 16 additions & 1 deletion site/examples/embeds.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -41,9 +41,24 @@ const Element = props => {
}
}

const allowedSchemes = ['http:', 'https:']

const VideoElement = ({ attributes, children, element }) => {
const editor = useSlateStatic()
const { url } = element

const safeUrl = useMemo(() => {
let parsedUrl: URL = null
try {
parsedUrl = new URL(url)
// eslint-disable-next-line no-empty
} catch {}
if (parsedUrl && allowedSchemes.includes(parsedUrl.protocol)) {
return parsedUrl.href
}
return 'about:blank'
}, [url])

return (
<div {...attributes}>
<div contentEditable={false}>
Expand All @@ -54,7 +69,7 @@ const VideoElement = ({ attributes, children, element }) => {
}}
>
<iframe
src={`${url}?title=0&byline=0&portrait=0`}
src={`${safeUrl}?title=0&byline=0&portrait=0`}
frameBorder="0"
style={{
position: 'absolute',
Expand Down
17 changes: 16 additions & 1 deletion site/examples/inlines.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -242,12 +242,27 @@ const InlineChromiumBugfix = () => (
</span>
)

const allowedSchemes = ['http:', 'https:', 'mailto:', 'tel:']

const LinkComponent = ({ attributes, children, element }) => {
const selected = useSelected()

const safeUrl = useMemo(() => {
let parsedUrl: URL = null
try {
parsedUrl = new URL(element.url)
// eslint-disable-next-line no-empty
} catch {}
if (parsedUrl && allowedSchemes.includes(parsedUrl.protocol)) {
return parsedUrl.href
}
return 'about:blank'
}, [element.url])

return (
<a
{...attributes}
href={element.url}
href={safeUrl}
className={
selected
? css`
Expand Down
26 changes: 24 additions & 2 deletions site/examples/paste-html.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -160,15 +160,37 @@ const Element = props => {
return <ol {...attributes}>{children}</ol>
case 'link':
return (
<a href={element.url} {...attributes}>
<SafeLink href={element.url} {...attributes}>
{children}
</a>
</SafeLink>
)
case 'image':
return <ImageElement {...props} />
}
}

const allowedSchemes = ['http:', 'https:', 'mailto:', 'tel:']

const SafeLink = ({ attributes, children, href }) => {
const safeHref = useMemo(() => {
let parsedUrl: URL = null
try {
parsedUrl = new URL(href)
// eslint-disable-next-line no-empty
} catch {}
if (parsedUrl && allowedSchemes.includes(parsedUrl.protocol)) {
return parsedUrl.href
}
return 'about:blank'
}, [href])

return (
<a href={safeHref} {...attributes}>
{children}
</a>
)
}

const ImageElement = ({ attributes, children, element }) => {
const selected = useSelected()
const focused = useFocused()
Expand Down

0 comments on commit 49b11a8

Please sign in to comment.