Browse files

Update link handling

  • Loading branch information...
scottnonnenberg-signal committed May 11, 2018
1 parent f6eb745 commit bfbd84f5d1308cdfcb08a1727821f7103be151ea
Showing with 7 additions and 1 deletion.
  1. +7 −1 js/views/message_view.js
@@ -15,6 +15,8 @@

window.Whisper = window.Whisper || {};

const URL_REGEX = /(^|[\s\n]|<br\/?>)((?:https?|ftp):\/\/[-A-Z0-9\u00A0-\uD7FF\uE000-\uFDCF\uFDF0-\uFFFD+\u0026\u2019@#/%?=()~_|!:,.;]*[-A-Z0-9+\u0026@#/%=~()_|])/gi;

const ErrorIconView = Whisper.View.extend({
templateName: 'error-icon',
className: 'error-icon-container',
@@ -508,7 +510,11 @@

if (body.length > 0) {
const escapedBody = body.html();
.replace(/\n/g, '<br>')
.replace(URL_REGEX, "$1<a href='$2' target='_blank'>$2</a>")


3 comments on commit bfbd84f


This comment has been minimized.

Copy link

shark0der replied May 12, 2018

Can someone elaborate on why without the link parser an XSS was triggered?


This comment has been minimized.

Copy link

frioux replied May 12, 2018

My guess is that the electron environment has a ton of uri handlers. For example some clients can allow you to link to file:///etc/passwd; there may be some absurd feature in electron like exec:///....


This comment has been minimized.

Copy link

grmpyninja replied May 16, 2018


<a href=javascript:alert(1)>Click</a>

is a valid XSS payload that triggers a code execution.

Please sign in to comment.