fix(chat) prevent homograph attacks

Decode URLs using punycode when rendering, so when http://ebаy.com is sent we render http://xn--eby-7cd.com/ instead. Ref: tasti/react-linkify#84
jitsi · Sep 25, 2020 · 11ae187 · 11ae187
1 parent 0f9e01a
commit 11ae187
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 2 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -63,6 +63,7 @@
     "moment-duration-format": "2.2.2",
     "olm": "https://packages.matrix.org/npm/olm/olm-3.1.4.tgz",
     "pixelmatch": "5.1.0",
+    "punycode": "2.1.1",
     "react": "16.9",
     "react-dom": "16.9",
     "react-emoji-render": "1.2.4",

diff --git a/react/features/base/react/components/native/Linkify.js b/react/features/base/react/components/native/Linkify.js
@@ -1,5 +1,6 @@
 // @flow
 
+import punycode from 'punycode';
 import React, { Component } from 'react';
 import ReactLinkify from 'react-linkify';
 import { Text } from 'react-native';
@@ -68,7 +69,7 @@ export default class Linkify extends Component<Props> {
                 key = { key }
                 style = { this.props.linkStyle }
                 url = { decoratedHref }>
-                {decoratedText}
+                { punycode.toASCII(decoratedText) }
             </Link>
         );
     }

diff --git a/react/features/base/react/components/web/Linkify.js b/react/features/base/react/components/web/Linkify.js
@@ -1,5 +1,6 @@
 // @flow
 
+import punycode from 'punycode';
 import React, { Component } from 'react';
 import ReactLinkify from 'react-linkify';
 
@@ -44,7 +45,7 @@ export default class Linkify extends Component<Props> {
                 key = { key }
                 rel = 'noopener noreferrer'
                 target = '_blank'>
-                {decoratedText}
+                { punycode.toASCII(decoratedText) }
             </a>
         );
     }