Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-m52x-29pq-w3vv
Fix potential XSS vulnerability
  • Loading branch information
mpetroff committed Nov 22, 2019
2 parents f42e80f + 40111b2 commit cc2f3d9
Showing 1 changed file with 13 additions and 6 deletions.
19 changes: 13 additions & 6 deletions src/js/pannellum.js
Expand Up @@ -1719,7 +1719,7 @@ function createHotSpot(hs) {
if (config.basePath && !absoluteURL(imgp))
imgp = config.basePath + imgp;
a = document.createElement('a');
a.href = sanitizeURL(hs.URL ? hs.URL : imgp);
a.href = sanitizeURL(hs.URL ? hs.URL : imgp, true);
a.target = '_blank';
span.appendChild(a);
var image = document.createElement('img');
Expand All @@ -1731,7 +1731,7 @@ function createHotSpot(hs) {
span.style.maxWidth = 'initial';
} else if (hs.URL) {
a = document.createElement('a');
a.href = sanitizeURL(hs.URL);
a.href = sanitizeURL(hs.URL, true);
if (hs.attributes) {
for (var key in hs.attributes) {
a.setAttribute(key, hs.attributes[key]);
Expand Down Expand Up @@ -2005,7 +2005,7 @@ function processOptions(isPreview) {
var authorText = escapeHTML(config[key]);
if (config.authorURL) {
var authorLink = document.createElement('a');
authorLink.href = sanitizeURL(config['authorURL']);
authorLink.href = sanitizeURL(config['authorURL'], true);
authorLink.target = '_blank';
authorLink.innerHTML = escapeHTML(config[key]);
authorText = authorLink.outerHTML;
Expand All @@ -2016,7 +2016,7 @@ function processOptions(isPreview) {

case 'fallback':
var link = document.createElement('a');
link.href = sanitizeURL(config[key]);
link.href = sanitizeURL(config[key], true);
link.target = '_blank';
link.textContent = 'Click here to view this panorama in an alternative viewer.';
var message = document.createElement('p');
Expand Down Expand Up @@ -2378,10 +2378,17 @@ function escapeHTML(s) {
* The URL cannot be of protocol 'javascript'.
* @private
* @param {string} url - URL to sanitize
* @param {boolean} href - True if URL is for link (blocks data URIs)
* @returns {string} Sanitized URL
*/
function sanitizeURL(url) {
if (url.trim().toLowerCase().indexOf('javascript:') === 0) {
function sanitizeURL(url, href) {
if (url.trim().toLowerCase().indexOf('javascript:') === 0 ||
url.trim().toLowerCase().indexOf('vbscript:') === 0) {
console.log('Script URL removed.');
return 'about:blank';
}
if (href && url.trim().toLowerCase().indexOf('data:') === 0) {
console.log('Data URI removed from link.');
return 'about:blank';
}
return url;
Expand Down

0 comments on commit cc2f3d9

Please sign in to comment.