Fix XSS via javascript: url in a link

Prevously, was possible to trigger XSS setting as link an URL like `javascript:alert('XSS')`. Fix it via a custom HTML input validation pattern to block both `javascript:` and `data:` URLs.
basecamp · Dec 18, 2024 · 12ee782 · 12ee782
1 parent f4d64c2
commit 12ee782
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/src/test/system/text_formatting_test.js b/src/test/system/text_formatting_test.js
@@ -58,6 +58,18 @@ testGroup("Text formatting", { template: "editor_empty" }, () => {
     expectDocument("ahttp://example.com\n")
   })
 
+  test("inserting a javascript: link is forbidden", async () => {
+    await typeCharacters("XSS")
+    await moveCursor("left")
+    await expandSelection("left")
+    await clickToolbarButton({ attribute: "href" })
+    assert.ok(isToolbarDialogActive({ attribute: "href" }))
+    await typeInToolbarDialog("javascript:alert('XSS')", { attribute: "href" })
+    assert.textAttributes([ 0, 1 ], {})
+    assert.textAttributes([ 1, 2 ], { frozen: true })
+    assert.textAttributes([ 2, 3 ], {})
+  })
+
   test("editing a link", async () => {
     insertString("a")
     const text = Text.textForStringWithAttributes("bc", { href: "http://example.com" })

diff --git a/src/trix/config/toolbar.js b/src/trix/config/toolbar.js
@@ -35,7 +35,7 @@ export default {
     <div class="trix-dialogs" data-trix-dialogs>
       <div class="trix-dialog trix-dialog--link" data-trix-dialog="href" data-trix-dialog-attribute="href">
         <div class="trix-dialog__link-fields">
-          <input type="url" name="href" class="trix-input trix-input--dialog" placeholder="${lang.urlPlaceholder}" aria-label="${lang.url}" required data-trix-input>
+          <input type="url" name="href" class="trix-input trix-input--dialog" placeholder="${lang.urlPlaceholder}" aria-label="${lang.url}" pattern="^(?!(javascript:|data:)).*" required data-trix-input>
           <div class="trix-button-group">
             <input type="button" class="trix-button trix-button--dialog" value="${lang.link}" data-trix-method="setAttribute">
             <input type="button" class="trix-button trix-button--dialog" value="${lang.unlink}" data-trix-method="removeAttribute">