diff options
author | Mathias Bynens <mathias@chromium.org> | 2019-11-20 12:59:44 +0000 |
---|---|---|
committer | Michael Brüning <michael.bruning@qt.io> | 2020-03-10 15:48:47 +0000 |
commit | 5043a049628bbc0c28e00e40e87744efc96a8472 (patch) | |
tree | 256d6e647a6166ee77d6f5dcaa4dea8eaa8d6c19 | |
parent | 20b67be01c3a97b4db54186b004550f4abc855af (diff) |
[Backport] Security bug 1026293
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/devtools/devtools-frontend/+/1925056:
Harden XLink defense-in-depth
This patch leverages the native `URL` API for URL parsing and
validation for XLink components. It also ensures XLinks get
rel=noopener.
Bug: chromium:1026293
Change-Id: Iad274bbde5d2ad9f0d8b22f35f3e36cba2aa76f1
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/devtools/front_end/ui/XLink.js | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/chromium/third_party/blink/renderer/devtools/front_end/ui/XLink.js b/chromium/third_party/blink/renderer/devtools/front_end/ui/XLink.js index a29a72afdc3..548944b569a 100644 --- a/chromium/third_party/blink/renderer/devtools/front_end/ui/XLink.js +++ b/chromium/third_party/blink/renderer/devtools/front_end/ui/XLink.js @@ -31,7 +31,8 @@ UI.XLink = class extends UI.XElement { this.style.setProperty('display', 'inline'); UI.ARIAUtils.markAsLink(this); this.tabIndex = 0; - this.setAttribute('target', '_blank'); + this.target = '_blank'; + this.rel = 'noopener'; /** @type {?string} */ this._href = null; @@ -71,11 +72,20 @@ UI.XLink = class extends UI.XElement { } if (attr === 'href') { - let href = newValue; - if (newValue.trim().toLowerCase().startsWith('javascript:')) - href = null; - if (Common.ParsedURL.isRelativeURL(newValue)) + // For invalid or non-absolute URLs, `href` should remain `null`. + if (!newValue) { + newValue = ''; + } + let href = null; + let url = null; + try { + url = new URL(newValue); + href = url.toString(); + } catch (error) { + } + if (url && url.protocol === 'javascript:') { href = null; + } this._href = href; this.title = newValue; |