Permalink
Browse files

Update link handling

  • Loading branch information...
scottnonnenberg-signal committed May 11, 2018
1 parent f6eb745 commit bfbd84f5d1308cdfcb08a1727821f7103be151ea
Showing with 7 additions and 1 deletion.
  1. +7 −1 js/views/message_view.js
@@ -15,6 +15,8 @@

window.Whisper = window.Whisper || {};

const URL_REGEX = /(^|[\s\n]|<br\/?>)((?:https?|ftp):\/\/[-A-Z0-9\u00A0-\uD7FF\uE000-\uFDCF\uFDF0-\uFFFD+\u0026\u2019@#/%?=()~_|!:,.;]*[-A-Z0-9+\u0026@#/%=~()_|])/gi;

const ErrorIconView = Whisper.View.extend({
templateName: 'error-icon',
className: 'error-icon-container',
@@ -508,7 +510,11 @@

if (body.length > 0) {
const escapedBody = body.html();
body.html(Signal.HTML.render(escapedBody));
body.html(
escapedBody
.replace(/\n/g, '<br>')
.replace(URL_REGEX, "$1<a href='$2' target='_blank'>$2</a>")
);
}

this.renderSent();

3 comments on commit bfbd84f

@shark0der

This comment has been minimized.

Copy link

shark0der replied May 12, 2018

Can someone elaborate on why without the link parser an XSS was triggered?

@frioux

This comment has been minimized.

Copy link

frioux replied May 12, 2018

My guess is that the electron environment has a ton of uri handlers. For example some clients can allow you to link to file:///etc/passwd; there may be some absurd feature in electron like exec:///....

@grmpyninja

This comment has been minimized.

Copy link

grmpyninja replied May 16, 2018

beacause

<a href=javascript:alert(1)>Click</a>

is a valid XSS payload that triggers a code execution.

Please sign in to comment.