Improved sanitization of href's in editor

2022-07-05 10:14:16 +02:00
parent 2f3dcb2520
commit 4e189b8970
9 changed files with 94 additions and 45 deletions
--- a/shared/editor/nodes/Attachment.tsx
+++ b/shared/editor/nodes/Attachment.tsx
@@ -4,6 +4,7 @@ import { NodeSpec, NodeType, Node as ProsemirrorNode } from "prosemirror-model";
 import * as React from "react";
 import { Trans } from "react-i18next";
 import { bytesToHumanReadable } from "../../utils/files";
+import { sanitizeHref } from "../../utils/urls";
 import toggleWrap from "../commands/toggleWrap";
 import FileExtension from "../components/FileExtension";
 import Widget from "../components/Widget";
@@ -56,7 +57,7 @@ export default class Attachment extends Node {
          {
            class: `attachment`,
            id: node.attrs.id,
-            href: node.attrs.href,
+            href: sanitizeHref(node.attrs.href),
            download: node.attrs.title,
            "data-size": node.attrs.size,
          },
--- a/shared/editor/nodes/Embed.tsx
+++ b/shared/editor/nodes/Embed.tsx
@@ -2,6 +2,7 @@ import Token from "markdown-it/lib/token";
 import { NodeSpec, NodeType, Node as ProsemirrorNode } from "prosemirror-model";
 import { EditorState } from "prosemirror-state";
 import * as React from "react";
+import { sanitizeHref } from "../../utils/urls";
 import DisabledEmbed from "../components/DisabledEmbed";
 import { MarkdownSerializerState } from "../lib/markdown/serializer";
 import embedsRule from "../rules/embeds";
@@ -47,7 +48,11 @@ export default class Embed extends Node {
      ],
      toDOM: (node) => [
        "iframe",
-        { class: "embed", src: node.attrs.href, contentEditable: "false" },
+        {
+          class: "embed",
+          src: sanitizeHref(node.attrs.href),
+          contentEditable: "false",
+        },
        0,
      ],
      toPlainText: (node) => node.attrs.href,