Merge pull request #1715 from plotly/ie-link-fix

add empty protocol to link whitelist for IE relative links
plotly · May 23, 2017 · d0aa27a · d0aa27a
2 parents 3771863 + b5f5168
commit d0aa27a
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/src/lib/svg_text_utils.js b/src/lib/svg_text_utils.js
@@ -252,7 +252,13 @@ var TAG_CLOSE = {
     sub: '<tspan dy="-0.21em">&#x200b;</tspan>'
 };
 
-var PROTOCOLS = ['http:', 'https:', 'mailto:'];
+/*
+ * Whitelist of protocols in user-supplied urls. Mostly we want to avoid javascript
+ * and related attack vectors. The empty items are there for IE, that in various
+ * versions treats relative paths as having different flavors of no protocol, while
+ * other browsers have these explicitly inherit the protocol of the page they're in.
+ */
+var PROTOCOLS = ['http:', 'https:', 'mailto:', '', undefined, ':'];
 
 var STRIP_TAGS = new RegExp('</?(' + Object.keys(TAG_STYLES).join('|') + ')( [^>]*)?/?>', 'g');