Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

<amp-pinterest> Sanitize URLs #13885

Merged
merged 2 commits into from Mar 8, 2018
Merged

<amp-pinterest> Sanitize URLs #13885

merged 2 commits into from Mar 8, 2018

Conversation

nainar
Copy link
Contributor

@nainar nainar commented Mar 8, 2018

Currently we call openWindowDialog on a click on an AMP widget. These hrefs should be sanitized before being passed to openWindowDialog.

@nainar nainar requested a review from jridgewell March 8, 2018 21:01
jridgewell
jridgewell requested changes Mar 8, 2018
View reviewed changes
extensions/amp-pinterest/0.1/pin-widget.js Outdated
@@ -58,9 +58,9 @@ export class PinWidget {
const log = el.getAttribute('data-pin-log');
if (href) {
if (shouldPop) {
openWindowDialog(window, href, '_pinit', POP);
openWindowDialog(window, encodeURI(href), '_pinit', POP);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This won't do it. I can still use a javascript:alert('PWNED'), which'll pass right through. We likely want something like assertAbsoluteHttpOrHttpsUrl.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Taken this out in favor of assertAbsoluteHttpOrHttpsUrl

nainar
nainar commented Mar 8, 2018
View reviewed changes
Copy link
Contributor Author

@nainar nainar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jridgewell PTAL?

extensions/amp-pinterest/0.1/pin-widget.js
@@ -57,6 +57,7 @@ export class PinWidget {
const href = el.getAttribute('data-pin-href');
const log = el.getAttribute('data-pin-log');
if (href) {
assertAbsoluteHttpOrHttpsUrl(href);
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Asserting that the href is starting with http/https here.

Won't allow localhost - so testing 🤷
Also can one still force code in the latter part of the URL?

@nainar nainar changed the title Encode all URI components to sanitize them <amp-pinterest> Sanitize URLs Mar 8, 2018
@nainar
Copy link
Contributor Author

nainar commented Mar 8, 2018

Can you please merge it in too? I don't have the required rights.

@jridgewell
Copy link
Contributor

Ping me when travis passes.

@nainar
Copy link
Contributor Author

nainar commented Mar 8, 2018

🔔🔔🔔

@jridgewell jridgewell merged commit deb5a66 into ampproject:master Mar 8, 2018
RanAbram pushed a commit to RanAbram/amphtml that referenced this pull request Mar 12, 2018
@nainar @RanAbram
<amp-pinterest> Sanitize URLs (ampproject#13885)
820740a 
* Encode all UR components to sanitize them

* Assert that all URLs are http or https
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jridgewell jridgewell jridgewell approved these changes

Assignees
No one assigned
Labels
cla: yes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@nainar @jridgewell @googlebot