Skip to content
Permalink
Browse files Browse the repository at this point in the history
Update link handling
  • Loading branch information
scottnonnenberg-signal committed May 11, 2018
1 parent f6eb745 commit bfbd84f
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion js/views/message_view.js
Expand Up @@ -15,6 +15,8 @@

window.Whisper = window.Whisper || {};

const URL_REGEX = /(^|[\s\n]|<br\/?>)((?:https?|ftp):\/\/[-A-Z0-9\u00A0-\uD7FF\uE000-\uFDCF\uFDF0-\uFFFD+\u0026\u2019@#/%?=()~_|!:,.;]*[-A-Z0-9+\u0026@#/%=~()_|])/gi;

const ErrorIconView = Whisper.View.extend({
templateName: 'error-icon',
className: 'error-icon-container',
Expand Down Expand Up @@ -508,7 +510,11 @@

if (body.length > 0) {
const escapedBody = body.html();
body.html(Signal.HTML.render(escapedBody));
body.html(
escapedBody
.replace(/\n/g, '<br>')
.replace(URL_REGEX, "$1<a href='$2' target='_blank'>$2</a>")
);
}

this.renderSent();
Expand Down

4 comments on commit bfbd84f

@shark0der
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can someone elaborate on why without the link parser an XSS was triggered?

@frioux
Copy link

@frioux frioux commented on bfbd84f May 12, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My guess is that the electron environment has a ton of uri handlers. For example some clients can allow you to link to file:///etc/passwd; there may be some absurd feature in electron like exec:///....

@grmpyninja
Copy link

@grmpyninja grmpyninja commented on bfbd84f May 16, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

beacause

<a href=javascript:alert(1)>Click</a>

is a valid XSS payload that triggers a code execution.

@mikkorantalainen
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about test<img src=x onerror=alert()>? You really cannot parse HTML with regex.

Please sign in to comment.