fix: stronger enforcement of normalizeLink

[vjeux]

We should only accept links that start with https?:// and if it doesn't then add it. Do not allow for relative links.

Test Plan:
On excalidraw.com create a rectangle with a link javascript://%0aalert(document.domain) and save it: javas.excalidraw.zip

In this PR, load the file above and see that the link has https:// added before:

In this PR, create a rectangle with the above link. Make sure that https:// is added before.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated (UTC)
excalidraw	✅ Ready (Inspect)	Visit Preview	Jun 29, 2023 10:11am
excalidraw-package-example	✅ Ready (Inspect)	Visit Preview	Jun 29, 2023 10:11am

1 Ignored Deployment

Name	Status	Preview	Updated (UTC)
docs	⬜️ Ignored (Inspect)		Jun 29, 2023 10:11am

[ad1992]

@vjeux we were earlier allowing only https but users might want to add different protocols eg ftp://, file:// and may be some custom as mentioned in #4620 (comment) so we should instead whitelist these protocols instead of disallowing all except https, does that make sense ?

[zsviczian]

I did not check the code change in details, but please make sure you continue to allow markdown and [[wiki]] links.

[dwelle]

I did not check the code change in details, but please make sure you continue to allow markdown and [[wiki]] links.

we'll need to add a props.normalizeLink so host apps can do what they want, else it's outside the scope of the package to figure out and make decisions for host apps like this.

As for ftp:// and file:// protocols, I'm now not sure if it's actually a good idea to allow this as it make be another attack vector.

[dwelle]

we'll need to add a props.normalizeLink so host apps can do what they want, else it's outside the scope of the package to figure out and make decisions for host apps like this.

but the issue is how to propagate props.normalizeLink into util helpers such as restore() — we have the same issue in the iframe PR.

[dwelle]

Ok, so instead I've used a sanitizer from Braintree (https://github.com/braintree/sanitize-url), which is permissive enough to allow custom formats such as markdown (@zsviczian you'll need to sanitize the url yourself once you parse it and render, unless you're using a markdown renderer that does it for you). If needed, we export our link normalize from the package as normalizeLink.

This way we don't have to support props.normalizeLink which in turn allows us to keep doing the normalization on restore().

That said, restore() is not guaranteed to be run in every case, so from security perspective we still want to normalize in runtime when rendering the link or passing it upstream.

Further, we still want to support relative links & retain opening relative links in the same tab.

[dwelle]

Thanks @vjeux!