Merge pull request #5803 from plotly/dummy-anchor-href

Fix to improve sanitizing href inputs for SVG and HTML text elements
plotly · Jul 6, 2021 · efe3802 · efe3802
2 parents 17c9f0c + 75f6351
commit efe3802
Show file tree

Hide file tree

Showing 29 changed files with 403 additions and 204 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,18 @@ To see all merged commits on the master branch that will be part of the next plo
 
 where X.Y.Z is the semver of most recent plotly.js release.
 
+## [2.2.1] -- 2021-07-06
+
+### Fixed
+ - Fix to improve sanitizing href inputs for SVG and HTML text elements [[#5803](https://github.com/plotly/plotly.js/pull/5803)]
+
+
+## [1.58.5] -- 2021-07-06
+
+### Fixed
+ - Fix to improve sanitizing href inputs for SVG and HTML text elements [[#5803](https://github.com/plotly/plotly.js/pull/5803)]
+
+
 ## [2.2.0] -- 2021-06-28
 
 ### Added

diff --git a/README.md b/README.md
@@ -55,7 +55,7 @@ You may also consider using [`plotly.js-dist`](https://www.npmjs.com/package/plo
 
 ```html
 <head>
-    <script src="https://cdn.plot.ly/plotly-2.2.0.min.js"></script>
+    <script src="https://cdn.plot.ly/plotly-2.2.1.min.js"></script>
 </head>
 <body>
     <div id="gd"></div>
@@ -72,7 +72,7 @@ You may also consider using [`plotly.js-dist`](https://www.npmjs.com/package/plo
 Alternatively you may consider using [native ES6 import](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Modules) in the script tag.
 ```html
 <script type="module">
-    import "https://cdn.plot.ly/plotly-2.2.0.min.js"
+    import "https://cdn.plot.ly/plotly-2.2.1.min.js"
     Plotly.newPlot("gd", [{ y: [1, 2, 3] }])
 </script>
 ```
@@ -82,10 +82,10 @@ Fastly supports Plotly.js with free CDN service. Read more at <https://www.fastl
 ### Un-minified versions are also available on CDN
 While non-minified source files may contain characters outside UTF-8, it is recommended that you specify the `charset` when loading those bundles.
 ```html
-<script src="https://cdn.plot.ly/plotly-2.2.0.js" charset="utf-8"></script>
+<script src="https://cdn.plot.ly/plotly-2.2.1.js" charset="utf-8"></script>
 ```
 
-> Please note that as of v2 the "plotly-latest" outputs (e.g. https://cdn.plot.ly/plotly-latest.min.js) will no longer be updated on the CDN, and will stay at the last v1 patch v1.58.4. Therefore, to use the CDN with plotly.js v2 and higher, you must specify an exact plotly.js version.
+> Please note that as of v2 the "plotly-latest" outputs (e.g. https://cdn.plot.ly/plotly-latest.min.js) will no longer be updated on the CDN, and will stay at the last v1 patch v1.58.5. Therefore, to use the CDN with plotly.js v2 and higher, you must specify an exact plotly.js version.
 
 To support MathJax, you need to load version two of MathJax e.g. `v2.7.5` files from CDN or npm.
 ```html

diff --git a/dist/README.md b/dist/README.md
@@ -46,9 +46,9 @@ The main plotly.js bundles weight in at:
 | 8 MB | 3.4 MB | 1019.6 kB | 8.3 MB |
 
 #### CDN links
-> https://cdn.plot.ly/plotly-2.2.0.js
+> https://cdn.plot.ly/plotly-2.2.1.js
 
-> https://cdn.plot.ly/plotly-2.2.0.min.js
+> https://cdn.plot.ly/plotly-2.2.1.min.js
 
 
 #### npm packages
@@ -94,9 +94,9 @@ The `basic` partial bundle contains trace modules `bar`, `pie` and `scatter`.
 | 2.7 MB | 1007.3 kB | 327.3 kB |
 
 #### CDN links
-> https://cdn.plot.ly/plotly-basic-2.2.0.js
+> https://cdn.plot.ly/plotly-basic-2.2.1.js
 
-> https://cdn.plot.ly/plotly-basic-2.2.0.min.js
+> https://cdn.plot.ly/plotly-basic-2.2.1.min.js
 
 
 #### npm packages
@@ -114,12 +114,12 @@ The `cartesian` partial bundle contains trace modules `bar`, `box`, `contour`, `
 
 | Raw size | Minified size | Minified + gzip size |
 |------|-----------------|------------------------|
-| 3.3 MB | 1.2 MB | 398.7 kB |
+| 3.3 MB | 1.2 MB | 398.8 kB |
 
 #### CDN links
-> https://cdn.plot.ly/plotly-cartesian-2.2.0.js
+> https://cdn.plot.ly/plotly-cartesian-2.2.1.js
 
-> https://cdn.plot.ly/plotly-cartesian-2.2.0.min.js
+> https://cdn.plot.ly/plotly-cartesian-2.2.1.min.js
 
 
 #### npm packages
@@ -137,12 +137,12 @@ The `geo` partial bundle contains trace modules `choropleth`, `scatter` and `sca
 
 | Raw size | Minified size | Minified + gzip size |
 |------|-----------------|------------------------|
-| 2.9 MB | 1 MB | 337.3 kB |
+| 2.9 MB | 1 MB | 337.4 kB |
 
 #### CDN links
-> https://cdn.plot.ly/plotly-geo-2.2.0.js
+> https://cdn.plot.ly/plotly-geo-2.2.1.js
 
-> https://cdn.plot.ly/plotly-geo-2.2.0.min.js
+> https://cdn.plot.ly/plotly-geo-2.2.1.min.js
 
 
 #### npm packages
@@ -163,9 +163,9 @@ The `gl3d` partial bundle contains trace modules `cone`, `isosurface`, `mesh3d`,
 | 3.8 MB | 1.5 MB | 482.7 kB |
 
 #### CDN links
-> https://cdn.plot.ly/plotly-gl3d-2.2.0.js
+> https://cdn.plot.ly/plotly-gl3d-2.2.1.js
 
-> https://cdn.plot.ly/plotly-gl3d-2.2.0.min.js
+> https://cdn.plot.ly/plotly-gl3d-2.2.1.min.js
 
 
 #### npm packages
@@ -183,12 +183,12 @@ The `gl2d` partial bundle contains trace modules `heatmapgl`, `parcoords`, `poin
 
 | Raw size | Minified size | Minified + gzip size |
 |------|-----------------|------------------------|
-| 3.8 MB | 1.5 MB | 503.1 kB |
+| 3.8 MB | 1.5 MB | 503.2 kB |
 
 #### CDN links
-> https://cdn.plot.ly/plotly-gl2d-2.2.0.js
+> https://cdn.plot.ly/plotly-gl2d-2.2.1.js
 
-> https://cdn.plot.ly/plotly-gl2d-2.2.0.min.js
+> https://cdn.plot.ly/plotly-gl2d-2.2.1.min.js
 
 
 #### npm packages
@@ -209,9 +209,9 @@ The `mapbox` partial bundle contains trace modules `choroplethmapbox`, `densitym
 | 4.4 MB | 1.8 MB | 525 kB |
 
 #### CDN links
-> https://cdn.plot.ly/plotly-mapbox-2.2.0.js
+> https://cdn.plot.ly/plotly-mapbox-2.2.1.js
 
-> https://cdn.plot.ly/plotly-mapbox-2.2.0.min.js
+> https://cdn.plot.ly/plotly-mapbox-2.2.1.min.js
 
 
 #### npm packages
@@ -229,12 +229,12 @@ The `finance` partial bundle contains trace modules `bar`, `candlestick`, `funne
 
 | Raw size | Minified size | Minified + gzip size |
 |------|-----------------|------------------------|
-| 3 MB | 1.1 MB | 353.5 kB |
+| 3 MB | 1.1 MB | 353.6 kB |
 
 #### CDN links
-> https://cdn.plot.ly/plotly-finance-2.2.0.js
+> https://cdn.plot.ly/plotly-finance-2.2.1.js
 
-> https://cdn.plot.ly/plotly-finance-2.2.0.min.js
+> https://cdn.plot.ly/plotly-finance-2.2.1.min.js
 
 
 #### npm packages
@@ -252,12 +252,12 @@ The `strict` partial bundle contains trace modules `bar`, `barpolar`, `box`, `ca
 
 | Raw size | Minified size | Minified + gzip size |
 |------|-----------------|------------------------|
-| 6.7 MB | 2.8 MB | 840.4 kB |
+| 6.7 MB | 2.8 MB | 840.5 kB |
 
 #### CDN links
-> https://cdn.plot.ly/plotly-strict-2.2.0.js
+> https://cdn.plot.ly/plotly-strict-2.2.1.js
 
-> https://cdn.plot.ly/plotly-strict-2.2.0.min.js
+> https://cdn.plot.ly/plotly-strict-2.2.1.min.js
 
 
 #### npm packages

diff --git a/dist/plotly-basic.js b/dist/plotly-basic.js
@@ -1,5 +1,5 @@
 /**
-* plotly.js (basic) v2.2.0
+* plotly.js (basic) v2.2.1
 * Copyright 2012-2021, Plotly, Inc.
 * All rights reserved.
 * Licensed under the MIT license
@@ -49233,14 +49233,9 @@ function buildSVGText(containerNode, str) {
                     var href = getQuotedMatch(extra, HREFMATCH);
 
                     if(href) {
-                        // check safe protocols
-                        var dummyAnchor = document.createElement('a');
-                        dummyAnchor.href = href;
-                        if(PROTOCOLS.indexOf(dummyAnchor.protocol) !== -1) {
-                            // Decode href to allow both already encoded and not encoded
-                            // URIs. Without decoding prior encoding, an already encoded
-                            // URI would be encoded twice producing a semantically different URI.
-                            nodeSpec.href = encodeURI(decodeURI(href));
+                        var safeHref = sanitizeHref(href);
+                        if(safeHref) {
+                            nodeSpec.href = safeHref;
                             nodeSpec.target = getQuotedMatch(extra, TARGETMATCH) || '_blank';
                             nodeSpec.popup = getQuotedMatch(extra, POPUPMATCH);
                         }
@@ -49255,6 +49250,27 @@ function buildSVGText(containerNode, str) {
     return hasLink;
 }
 
+function sanitizeHref(href) {
+    var decodedHref = encodeURI(decodeURI(href));
+    var dummyAnchor1 = document.createElement('a');
+    var dummyAnchor2 = document.createElement('a');
+    dummyAnchor1.href = href;
+    dummyAnchor2.href = decodedHref;
+
+    var p1 = dummyAnchor1.protocol;
+    var p2 = dummyAnchor2.protocol;
+
+    // check safe protocols
+    if(
+        PROTOCOLS.indexOf(p1) !== -1 &&
+        PROTOCOLS.indexOf(p2) !== -1
+    ) {
+        return decodedHref;
+    } else {
+        return '';
+    }
+}
+
 /*
  * sanitizeHTML: port of buildSVGText aimed at providing a clean subset of HTML
  * @param {string} str: the html string to clean
@@ -49289,10 +49305,9 @@ exports.sanitizeHTML = function sanitizeHTML(str) {
                     var href = getQuotedMatch(extra, HREFMATCH);
 
                     if(href) {
-                        var dummyAnchor = document.createElement('a');
-                        dummyAnchor.href = href;
-                        if(PROTOCOLS.indexOf(dummyAnchor.protocol) !== -1) {
-                            nodeAttrs.href = encodeURI(decodeURI(href));
+                        var safeHref = sanitizeHref(href);
+                        if(safeHref) {
+                            nodeAttrs.href = safeHref;
                             var target = getQuotedMatch(extra, TARGETMATCH);
                             if(target) {
                                 nodeAttrs.target = target;
@@ -84237,7 +84252,7 @@ function getSortFunc(opts, d2c) {
 'use strict';
 
 // package version injected by `npm run preprocess`
-exports.version = '2.2.0';
+exports.version = '2.2.1';
 
 },{}]},{},[8])(8)
 });
diff --git a/dist/plotly-basic.min.js b/dist/plotly-basic.min.js
diff --git a/dist/plotly-cartesian.js b/dist/plotly-cartesian.js
@@ -1,5 +1,5 @@
 /**
-* plotly.js (cartesian) v2.2.0
+* plotly.js (cartesian) v2.2.1
 * Copyright 2012-2021, Plotly, Inc.
 * All rights reserved.
 * Licensed under the MIT license
@@ -58392,14 +58392,9 @@ function buildSVGText(containerNode, str) {
                     var href = getQuotedMatch(extra, HREFMATCH);
 
                     if(href) {
-                        // check safe protocols
-                        var dummyAnchor = document.createElement('a');
-                        dummyAnchor.href = href;
-                        if(PROTOCOLS.indexOf(dummyAnchor.protocol) !== -1) {
-                            // Decode href to allow both already encoded and not encoded
-                            // URIs. Without decoding prior encoding, an already encoded
-                            // URI would be encoded twice producing a semantically different URI.
-                            nodeSpec.href = encodeURI(decodeURI(href));
+                        var safeHref = sanitizeHref(href);
+                        if(safeHref) {
+                            nodeSpec.href = safeHref;
                             nodeSpec.target = getQuotedMatch(extra, TARGETMATCH) || '_blank';
                             nodeSpec.popup = getQuotedMatch(extra, POPUPMATCH);
                         }
@@ -58414,6 +58409,27 @@ function buildSVGText(containerNode, str) {
     return hasLink;
 }
 
+function sanitizeHref(href) {
+    var decodedHref = encodeURI(decodeURI(href));
+    var dummyAnchor1 = document.createElement('a');
+    var dummyAnchor2 = document.createElement('a');
+    dummyAnchor1.href = href;
+    dummyAnchor2.href = decodedHref;
+
+    var p1 = dummyAnchor1.protocol;
+    var p2 = dummyAnchor2.protocol;
+
+    // check safe protocols
+    if(
+        PROTOCOLS.indexOf(p1) !== -1 &&
+        PROTOCOLS.indexOf(p2) !== -1
+    ) {
+        return decodedHref;
+    } else {
+        return '';
+    }
+}
+
 /*
  * sanitizeHTML: port of buildSVGText aimed at providing a clean subset of HTML
  * @param {string} str: the html string to clean
@@ -58448,10 +58464,9 @@ exports.sanitizeHTML = function sanitizeHTML(str) {
                     var href = getQuotedMatch(extra, HREFMATCH);
 
                     if(href) {
-                        var dummyAnchor = document.createElement('a');
-                        dummyAnchor.href = href;
-                        if(PROTOCOLS.indexOf(dummyAnchor.protocol) !== -1) {
-                            nodeAttrs.href = encodeURI(decodeURI(href));
+                        var safeHref = sanitizeHref(href);
+                        if(safeHref) {
+                            nodeAttrs.href = safeHref;
                             var target = getQuotedMatch(extra, TARGETMATCH);
                             if(target) {
                                 nodeAttrs.target = target;
@@ -104098,7 +104113,7 @@ function getSortFunc(opts, d2c) {
 'use strict';
 
 // package version injected by `npm run preprocess`
-exports.version = '2.2.0';
+exports.version = '2.2.1';
 
 },{}]},{},[15])(15)
 });
diff --git a/dist/plotly-cartesian.min.js b/dist/plotly-cartesian.min.js