Fix XSS vulnerabilities in link sanitizer

Author: gpoitch

lib/utils/sanitization-utils.js

@@ -1,20 +1,20 @@
 import { includes } from './array-utils';
 
-const PROTOCOL_REGEXP = /^([a-z0-9.+-]+:)/i;
+const PROTOCOL_REGEXP = /.+:/i;
 
 const badProtocols = [
-  'javascript:', // jshint ignore:line
-  'vbscript:' // jshint ignore:line
+  'javascript', // jshint ignore:line
+  'vbscript' // jshint ignore:line
 ];
 
 function getProtocol(url) {
   let matches = url && url.match(PROTOCOL_REGEXP);
-  let protocol = (matches && matches[0]) || ':';
+  let protocol = matches && matches[0] && matches[0].split(':')[0] || '';
   return protocol;
 }
 
 export function sanitizeHref(url) {
-  let protocol = getProtocol(url).toLowerCase();
+  let protocol = getProtocol(url).toLowerCase().replace(/ /g, '');
   if (includes(badProtocols, protocol)) {
     return `unsafe:${url}`;
   }

tests/unit/utils/sanitization-utils-test.js

@@ -12,6 +12,9 @@ test('#sanitizeHref', (assert) => {
   let unsafe = [
     'javascript:alert("XSS")', // jshint ignore: line
     'jaVasCript:alert("XSS")', // jshint ignore: line
+    'javascript:javascript:alert("XSS")', // jshint ignore: line
+    'java script:alert("XSS")', // jshint ignore: line
+    'ja vas cri pt::alert("XSS")', // jshint ignore: line
     'vbscript:alert("XSS")' // jshint ignore: line
   ];