feat(core): change the URL sanitization to only block javascript: URLs #49659
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pullapprove
bot
requested review from
alxhub,
jelbourn,
jessicajaniuk,
josephperrott and
pkozlowski-opensource
|
@jelbourn LGTM for security. |
bjarkler
reviewed
Mar 31, 2023
| @@ -9,13 +9,14 @@ | |||
| import {XSS_SECURITY_URL} from '../error_details_base_url'; | |||
|
|
|||
| /** | |||
| * A pattern that recognizes a commonly useful subset of URLs that are safe. | |||
| * A pattern that recognizes a URLs that are safe wrt. XSS in URL navigation | |||
There was a problem hiding this comment.
nit: "recognizes a URLs" -> "recognizes URLs"
jessicajaniuk
approved these changes
Mar 31, 2023
jelbourn
added
security
jelbourn
approved these changes
Mar 31, 2023
In modern browsers, the 'javascript:' URL scheme is the only scheme that can execute JavaScript when passed in a navigation URL context (e.g. `a.href` value). Validate URL shemes to only contain characters allowed in the URL specification ([a-zA-Z-+.]), and that are not javascript (case insensitive). This is not a breaking change. The URL sanitization is loosen.
neuracr
force-pushed
the
javascript-url-sanitizer
branch
from
63551df
to
bb41366
Compare
pkozlowski-opensource
removed request for
pkozlowski-opensource,
alxhub and
josephperrott
pullapprove
bot
requested review from
alxhub,
josephperrott and
pkozlowski-opensource
pkozlowski-opensource
approved these changes
Apr 4, 2023
pkozlowski-opensource
added
target: patch
|
This PR was merged into the repository by commit b35fa73. |
dylhunn
pushed a commit
that referenced
this pull request
Apr 4, 2023
#49659) In modern browsers, the 'javascript:' URL scheme is the only scheme that can execute JavaScript when passed in a navigation URL context (e.g. `a.href` value). Validate URL shemes to only contain characters allowed in the URL specification ([a-zA-Z-+.]), and that are not javascript (case insensitive). This is not a breaking change. The URL sanitization is loosen. PR Close #49659
crapStone
pushed a commit
to Calciumdibromid/CaBr2
that referenced
this pull request
Apr 9, 2023
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [@angular/animations](https://github.com/angular/angular) | dependencies | patch | [`15.2.5` -> `15.2.6`](https://renovatebot.com/diffs/npm/@angular%2fanimations/15.2.5/15.2.6) | | [@angular/common](https://github.com/angular/angular) | dependencies | patch | [`15.2.5` -> `15.2.6`](https://renovatebot.com/diffs/npm/@angular%2fcommon/15.2.5/15.2.6) | | [@angular/compiler](https://github.com/angular/angular) | dependencies | patch | [`15.2.5` -> `15.2.6`](https://renovatebot.com/diffs/npm/@angular%2fcompiler/15.2.5/15.2.6) | | [@angular/compiler-cli](https://github.com/angular/angular/tree/main/packages/compiler-cli) ([source](https://github.com/angular/angular)) | devDependencies | patch | [`15.2.5` -> `15.2.6`](https://renovatebot.com/diffs/npm/@angular%2fcompiler-cli/15.2.5/15.2.6) | | [@angular/core](https://github.com/angular/angular) | dependencies | patch | [`15.2.5` -> `15.2.6`](https://renovatebot.com/diffs/npm/@angular%2fcore/15.2.5/15.2.6) | | [@angular/forms](https://github.com/angular/angular) | dependencies | patch | [`15.2.5` -> `15.2.6`](https://renovatebot.com/diffs/npm/@angular%2fforms/15.2.5/15.2.6) | | [@angular/platform-browser](https://github.com/angular/angular) | dependencies | patch | [`15.2.5` -> `15.2.6`](https://renovatebot.com/diffs/npm/@angular%2fplatform-browser/15.2.5/15.2.6) | | [@angular/platform-browser-dynamic](https://github.com/angular/angular) | dependencies | patch | [`15.2.5` -> `15.2.6`](https://renovatebot.com/diffs/npm/@angular%2fplatform-browser-dynamic/15.2.5/15.2.6) | --- ### Release Notes <details> <summary>angular/angular</summary> ### [`v15.2.6`](https://github.com/angular/angular/blob/HEAD/CHANGELOG.md#​1526-2023-04-05) [Compare Source](angular/angular@15.2.5...15.2.6) ##### core | Commit | Type | Description | | -- | -- | -- | | [d9efa1b0d7](angular/angular@d9efa1b) | feat | change the URL sanitization to only block javascript: URLs ([#​49659](angular/angular#49659)) | ##### router | Commit | Type | Description | | -- | -- | -- | | [cad7274ef9](angular/angular@cad7274) | fix | create correct URL relative to path with empty child ([#​49691](angular/angular#49691)) | | [9b61379096](angular/angular@9b61379) | fix | Ensure initial navigation clears current navigation when blocking ([#​49572](angular/angular#49572)) | #### Special Thanks Andrew Scott, Guillaume Weghsteen, John Manners, Johnny Gérard, Matthieu Riegler, Robin Richtsfeld, Sandra Limacher, Sarthak Thakkar, Vinit Neogi and vikram menon <!-- CHANGELOG SPLIT MARKER --> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4zNC4wIiwidXBkYXRlZEluVmVyIjoiMzUuMzguMCJ9--> Co-authored-by: cabr2-bot <cabr2.help@gmail.com> Reviewed-on: https://codeberg.org/Calciumdibromid/CaBr2/pulls/1851 Reviewed-by: Epsilon_02 <epsilon_02@noreply.codeberg.org> Co-authored-by: Calciumdibromid Bot <cabr2_bot@noreply.codeberg.org> Co-committed-by: Calciumdibromid Bot <cabr2_bot@noreply.codeberg.org>
|
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In modern browsers, the 'javascript:' URL scheme is the only scheme that can execute JavaScript when passed in a navigation URL context (e.g.
a.hrefvalue). Validate URL shemes to only contain characters allowed in the URL specification ([a-zA-Z-+.]), and that are not javascript (case insensitive). This is not a breaking change. The URL sanitization is loosen.PR Checklist
Please check if your PR fulfills the following requirements:
PR Type
What kind of change does this PR introduce?
Security change.
What is the current behavior?
The navigation URL sanitization in Angular is currently allowlist based. It allows implicit shemes, or explicit scheme oneof https?|mailto|data|ftp|tel|file|sms that are known to be always safe wrt. XSS.
Issue Number: N/A
What is the new behavior?
The new sanitization algorithm validates the scheme has characters allowed by the URL specification. It is also blocklist based and blocks the javascript scheme (non case sensitive).
Does this PR introduce a breaking change?
Other information