Skip to content

Issue 2: Unvalidated Hyperlink Schemes Allow javascript: Injection #219

New issue
New issue
Open
Open
Issue 2: Unvalidated Hyperlink Schemes Allow javascript: Injection#219
@garland3

Description

@garland3
garland3
opened on Sep 27, 2025

Issue 2: Unvalidated Hyperlink Schemes Allow javascript: Injection

Severity: High

Summary

User-supplied hyperlink values (canvas-level, axes, table cells, marks, markers) are only type-checked in toyplot/require.py::hyperlink() but not validated for safe URI schemes. Attackers can supply javascript:, data:, or other active schemes that may execute code when a user clicks the link.

Affected Components

  • toyplot/require.py (hyperlink function)
  • Any usage assigning _hyperlink or attribute xlink:href from untrusted input.

Exploit Scenario

A visualization includes a mark with a hyperlink set to:

javascript:alert('Owned')

When a viewer clicks the element, arbitrary JavaScript executes within the page origin.

Impact

Execution of arbitrary script, potential phishing, credential theft, or privilege escalation in shared notebook environments.

Root Cause

Lack of allowlist / validation of URL schemes. Merely confirming the value is a str or None is insufficient.

Recommendation (Patch)

Implement a conservative allowlist in hyperlink():

from urllib.parse import urlparse
_ALLOWED_SCHEMES = {"http", "https", "mailto", "ftp", ""}  # empty = relative

def hyperlink(value):
    if value is None:
        return None
    if not isinstance(value, str):
        raise ValueError("Expected string or None")
    parsed = urlparse(value)
    if parsed.scheme.lower() not in _ALLOWED_SCHEMES:
        raise ValueError("Disallowed URI scheme: %s" % parsed.scheme)
    return value

Add tests ensuring that javascript:, data:, vbscript: raise a ValueError.

Long-Term Considerations

  • Optionally add configuration toggle (strict / permissive).
  • Document expected safe schemes to users.
  • Consider stripping control characters and validating internationalized domain names if adding more complexity.

Verification Steps

  1. Before patch: set a mark hyperlink to javascript:alert(1); click – code runs.
  2. After patch: same assignment raises ValueError.

References

  • OWASP Unvalidated Redirects and Forwards
  • W3C URL Standard – allowed schemes

Tracking

Labels: security, hyperlink, XSS, high-priority.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions