Skip to content

Commit

Permalink
restrict protocols (#1149)
Browse files Browse the repository at this point in the history
  • Loading branch information
syjer authored Dec 9, 2022
1 parent 2ef7187 commit e032fd5
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 0 deletions.
16 changes: 16 additions & 0 deletions src/main/java/alfio/util/MustacheCustomTag.java
Original file line number Diff line number Diff line change
Expand Up @@ -168,7 +168,15 @@ private static class TargetBlankProvider implements AttributeProvider {
public void setAttributes(Node node, String tagName, Map<String, String> attributes) {
if (node instanceof Link l) {
String destination = StringUtils.trimToEmpty(l.getDestination());
var scheme = getScheme(destination);
scheme.ifPresent(resolvedScheme -> {
if (!Set.of("http", "https").contains(resolvedScheme)) {
log.info("User tried to set an url with scheme {}, only http/https are accepted, href has been removed", resolvedScheme);
attributes.remove("href");
}
});
if (UrlUtils.isAbsoluteUrl(destination)) {
// accept only http or https protocols if we have an absolute link, else we override with an empty string
attributes.put("target", "_blank");
attributes.put("rel", "nofollow noopener noreferrer");
var newTabLabel = A11Y_NEW_TAB_LABEL.get();
Expand All @@ -183,6 +191,14 @@ public static String renderToHtmlCommonmarkEscaped(String input) {
return renderToHtmlCommonmarkEscaped(input, null);
}

/**
* return lowercase scheme if present
*/
private static Optional<String> getScheme(String uri) {
var s = StringUtils.trimToEmpty(uri).toLowerCase(Locale.ROOT);
return s.indexOf(':') >= 0 ? Optional.of(StringUtils.substringBefore(s, ':')) : Optional.empty();
}

public static String renderToHtmlCommonmarkEscaped(String input, String localizedNewWindowLabel) {
try {
A11Y_NEW_TAB_LABEL.set(localizedNewWindowLabel);
Expand Down
9 changes: 9 additions & 0 deletions src/test/java/alfio/util/MustacheCustomTagTest.java
Original file line number Diff line number Diff line change
Expand Up @@ -87,4 +87,13 @@ public void testHtmlMarkDown() {
//for absolute link we add target="_blank"
assertEquals("<p>link <a href=\"http://test\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">bla</a> link</p>\n", MustacheCustomTag.renderToHtmlCommonmarkEscaped("link [bla](http://test) link"));
}

@Test
public void acceptOnlyHttpOrHttpsProtocols() {
assertEquals("<p><a href=\"http://google.com\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">google</a></p>\n", MustacheCustomTag.renderToHtmlCommonmarkEscaped("[google](http://google.com)"));
assertEquals("<p><a href=\"https://google.com\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">google</a></p>\n", MustacheCustomTag.renderToHtmlCommonmarkEscaped("[google](https://google.com)"));
assertEquals("<p><a>google</a></p>\n", MustacheCustomTag.renderToHtmlCommonmarkEscaped("[google](any:google.com)"));
assertEquals("<p><a>google</a></p>\n", MustacheCustomTag.renderToHtmlCommonmarkEscaped("[google](other:google.com)"));
assertEquals("<p><a>google</a></p>\n", MustacheCustomTag.renderToHtmlCommonmarkEscaped("[google](protocols:/google.com)"));
}
}

0 comments on commit e032fd5

Please sign in to comment.