Improving the urls to not break protocols and adding tests (#3995)

* Improving the urls utils to not break dynamic protocols and testing the utils Signed-off-by: iifawzi <iifawzie@gmail.com> * Adding a list of blocked protocols Signed-off-by: iifawzi <iifawzie@gmail.com> * Update the way of sanitizing blocked protocols Signed-off-by: iifawzi <iifawzie@gmail.com> * Update shared/utils/urls.ts Javascript pseudo protocol does not require the // Co-authored-by: Tom Moor <tom.moor@gmail.com> * updating the javascript protocol sanitizing tests Signed-off-by: iifawzi <iifawzie@gmail.com> * Update shared/utils/urls.test.ts Co-authored-by: Apoorv Mishra <apoorvmishra101092@gmail.com> * Update shared/utils/urls.ts Co-authored-by: Apoorv Mishra <apoorvmishra101092@gmail.com> * Using toBe instead of toEqual in tests Signed-off-by: iifawzi <iifawzie@gmail.com> * Sanitizing data: and vbscript: Signed-off-by: iifawzi <iifawzie@gmail.com> * Using toBeUndefined instead of toEqual in tests Signed-off-by: iifawzi <iifawzie@gmail.com> * Using URL to check the protocols Signed-off-by: iifawzi <iifawzie@gmail.com> * Allowing sms, fax, and tel protocols Signed-off-by: iifawzi <iifawzie@gmail.com> * Update shared/utils/urls.ts inlining the protocols in the same file Co-authored-by: Tom Moor <tom.moor@gmail.com> * removing unused protocols constant Signed-off-by: iifawzi <iifawzie@gmail.com> Signed-off-by: iifawzi <iifawzie@gmail.com> Co-authored-by: Tom Moor <tom.moor@gmail.com> Co-authored-by: Apoorv Mishra <apoorvmishra101092@gmail.com>
2022-09-07 13:21:56 +02:00
parent 1e39b564fe
commit eb5126335c
2 changed files with 103 additions and 3 deletions
--- a/shared/utils/urls.ts
+++ b/shared/utils/urls.ts
@@ -55,7 +55,9 @@ export function isUrl(text: string) {

  try {
    const url = new URL(text);
-    return url.hostname !== "";
+    const blockedProtocols = ["javascript:", "file:", "vbscript:", "data:"];
+
+    return url.hostname !== "" && !blockedProtocols.includes(url.protocol);
  } catch (err) {
    return false;
  }
@@ -68,7 +70,7 @@ export function isUrl(text: string) {
 * @returns True if the url is external, false otherwise.
 */
 export function isExternalUrl(url: string) {
-  return !isInternalUrl(url);
+  return !!url && !isInternalUrl(url);
 }

 /**
@@ -87,7 +89,10 @@ export function sanitizeUrl(url: string | null | undefined) {
    !isUrl(url) &&
    !url.startsWith("/") &&
    !url.startsWith("#") &&
-    !url.startsWith("mailto:")
+    !url.startsWith("mailto:") &&
+    !url.startsWith("sms:") &&
+    !url.startsWith("fax:") &&
+    !url.startsWith("tel:")
  ) {
    return `https://${url}`;
  }