omit anchors with XSS href via a whitelist in convertToSVG

plotly · Dec 10, 2015 · d588595 · d588595
1 parent 92a9850
commit d588595
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/src/lib/svg_text_utils.js b/src/lib/svg_text_utils.js
@@ -221,6 +221,8 @@ var TAG_STYLES = {
     em: 'font-style:italic;font-weight:bold'
 };
 
+var PROTOCOLS = ['http:', 'https:', 'mailto'];
+
 var STRIP_TAGS = new RegExp('</?(' + Object.keys(TAG_STYLES).join('|') + ')( [^>]*)?/?>', 'g');
 
 util.plainText = function(_str){
@@ -252,7 +254,14 @@ function convertToSVG(_str){
                 if(tag === 'a'){
                     if(close) return '</a>';
                     else if(extra.substr(0,4).toLowerCase() !== 'href') return '<a>';
-                    else return '<a xlink:show="new" xlink:href' + extra.substr(4) + '>';
+                    else {
+                        var dummyAnchor = document.createElement('a');
+                        dummyAnchor.href = extra.split('href=')[1].replace(/["']/g, '');
+
+                        if(PROTOCOLS.indexOf(dummyAnchor.protocol) === -1) return '<a>';
+
+                        return '<a xlink:show="new" xlink:href' + extra.substr(4) + '>';
+                    }
                 }
                 else if(tag === 'br') return '<br>';
                 else if(close) {