Merge branch 'main' into ernesto/new-stable-release

Doist · Aug 13, 2024 · edadaa8 · edadaa8
2 parents 4c2ba12 + 0950e92
commit edadaa8
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 6 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/ui-extensions-core/package.json b/packages/ui-extensions-core/package.json
@@ -1,6 +1,6 @@
 {
     "name": "@doist/ui-extensions-core",
-    "version": "4.2.0",
+    "version": "4.2.1",
     "description": "",
     "main": "dist/index.js",
     "types": "dist/index.d.ts",

diff --git a/packages/ui-extensions-core/src/ui-helpers/card-helpers.ts b/packages/ui-extensions-core/src/ui-helpers/card-helpers.ts
@@ -1,4 +1,6 @@
-import { type DoistCardVersion, DoistCard } from '../doist-card'
+import { DoistCard } from '../doist-card'
+
+import type { DoistCardVersion } from '../doist-card'
 
 /**
  * Creates an empty DoistCard

diff --git a/packages/ui-extensions-react/package.json b/packages/ui-extensions-react/package.json
@@ -36,7 +36,7 @@
     },
     "peerDependencies": {
         "@doist/reactist": "^25.0.0",
-        "@doist/ui-extensions-core": "^4.1.1",
+        "@doist/ui-extensions-core": "^4.2.0",
         "adaptivecards": "^2.9.0",
         "react": "^17.0.0 || ^18.0.0",
         "react-dom": "^17.0.0 || ^18.0.0",

diff --git a/packages/ui-extensions-react/src/components/adaptive-card/AdaptiveCardRenderer.tsx b/packages/ui-extensions-react/src/components/adaptive-card/AdaptiveCardRenderer.tsx
@@ -61,6 +61,28 @@ export function registerMarkdownParser(markdownParser: (text: string) => string)
     }
 }
 
+/**
+ * Protects against XSS attacks by validating the URL.
+ * @param url
+ * @returns
+ */
+function isValidUrl(url: string): boolean {
+    try {
+        // Parse the URL using the URL constructor
+        const parsedUrl = new URL(url)
+
+        // Check for allowed protocols
+        if (parsedUrl.protocol === 'http:' || parsedUrl.protocol === 'https:') {
+            return true
+        } else {
+            return false
+        }
+    } catch {
+        // If URL constructor throws an error, it's an invalid URL
+        return false
+    }
+}
+
 /**
  * To support markdown, register a markdown parser via `registerMarkdownParser`
  * @see registerMarkdownParser
@@ -97,7 +119,7 @@ export function AdaptiveCardRenderer({
         try {
             const inputs = adaptiveCard.getAllInputs()
             const inputsObject = getInputObject(inputs)
-            if (action instanceof OpenUrlAction && action.url) {
+            if (action instanceof OpenUrlAction && action.url && isValidUrl(action.url)) {
                 window.open(action.url, '_blank')
             } else if (action instanceof ClipboardAction && action.text) {
                 clipboardHandler(action.text)