Sanitize href attributes on HTML elements

quantizor · May 14, 2019 · 235c91a · 235c91a
1 parent 208d401
commit 235c91a
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 4 deletions.
diff --git a/index.compiler.spec.js b/index.compiler.spec.js
@@ -909,7 +909,7 @@ describe('links', () => {
 `);
   });
 
-  it('should sanitize links containing JS expressions', () => {
+  it('should sanitize markdown links containing JS expressions', () => {
     jest.spyOn(console, 'warn').mockImplementation(() => {});
 
     render(compiler('[foo](javascript:doSomethingBad)'));
@@ -925,7 +925,7 @@ describe('links', () => {
     expect(console.warn).toHaveBeenCalled();
   });
 
-  it('should sanitize links containing encoded JS expressions', () => {
+  it('should sanitize markdown links containing encoded JS expressions', () => {
     jest.spyOn(console, 'warn').mockImplementation(() => {});
 
     render(compiler('[foo](javascript%3AdoSomethingBad)'));
@@ -941,7 +941,7 @@ describe('links', () => {
     expect(console.warn).toHaveBeenCalled();
   });
 
-  it('should sanitize links containing padded JS expressions', () => {
+  it('should sanitize markdown links containing padded JS expressions', () => {
     jest.spyOn(console, 'warn').mockImplementation(() => {});
 
     render(compiler('[foo](  javascript%3AdoSomethingBad)'));
@@ -957,7 +957,7 @@ describe('links', () => {
     expect(console.warn).toHaveBeenCalled();
   });
 
-  it('should sanitize links containing invalid characters', () => {
+  it('should sanitize markdown links containing invalid characters', () => {
     jest.spyOn(console, 'warn').mockImplementation(() => {});
 
     render(compiler('[foo](https://google.com/%AF)'));
@@ -972,6 +972,22 @@ describe('links', () => {
     expect(console.warn).toHaveBeenCalled();
   });
 
+  it('should sanitize html links containing JS expressions', () => {
+      jest.spyOn(console, 'warn').mockImplementation(() => {});
+
+      render(compiler('<a href="javascript:doSomethingBad">foo</a>'));
+
+      expect(root.innerHTML).toMatchInlineSnapshot(`
+
+<a data-reactroot>
+  foo
+</a>
+
+`);
+
+      expect(console.warn).toHaveBeenCalled();
+    });
+
   it('should handle a link with a URL in the text', () => {
     render(
       compiler('[https://www.google.com *heck yeah*](http://www.google.com)')

diff --git a/index.js b/index.js
@@ -374,6 +374,8 @@ function attributeValueToJSXPropValue(key, value) {
 
       return styles;
     }, {});
+  } else if (key === 'href') {
+    return sanitizeUrl(value)
   } else if (value.match(INTERPOLATION_R)) {
     // return as a string and let the consumer decide what to do with it
     value = value.slice(1, value.length - 1);