Skip to content

Latest commit

 

History

History
40 lines (28 loc) · 1.23 KB

readme.md

File metadata and controls

40 lines (28 loc) · 1.23 KB
Raw

Safe-url

Returns a safe url of the given string

Motivation

Solves potential XSS vulnerabilities when javascript: is used as a protocol.

Installation

yarn add @kaliber/safe-url

Usage

This function should be used when you want to navigate a user to a other url especially when you take the value form the url. A use case would be to check a returnUrl.

Basic usage

import { safeUrl } from '@kaliber/safe-url'

const { returnUrl } = req.query // useQueryString()

// Allowed protocols
window.location.href = safeUrl(returnUrl) // returnUrl = 'https://kaliber.net'

// This throws a error
window.location.href = safeUrl(returnUrl) // returnUrl =  'javascript:confirm(document.domain)'

allowedHostsList

import { safeUrl } from '@kaliber/safe-url'

safeUrl('https://npm.com/', { allowedHostsList: ['kaliber.net'] }) // throws a error
safeUrl('https://kaliber.net/', { allowedHostsList: ['kaliber.net'] }) // returns the given url.

Disclaimer

This library is intended for internal use, we provide no support, use at your own risk. It does not import React, but expects it to be provided, which @kaliber/build can handle for you.

This library is not transpiled.