fix(file-viewer): sanitize docx hyperlink hrefs to block javascript: XSS#5599
Conversation
Sanitize anchor hrefs rendered by docx-preview after render, stripping any scheme outside http/https/mailto (same allowlist already used by the PPTX renderer). Covers both the workspace file viewer and the unauthenticated public share page, which reuse the same component.
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
PR SummaryLow Risk Overview Shared URL policy: Reviewed by Cursor Bugbot for commit 4c70118. Configure here. |
Greptile SummaryThis PR adds shared URL safety handling for rendered document links. The main changes are:
Confidence Score: 5/5This looks safe to merge.
Important Files Changed
Reviews (1): Last reviewed commit: "fix(file-viewer): sanitize docx hyperlin..." | Re-trigger Greptile |
Summary
docx-previewcopies external hyperlink targets straight into anchorhrefwith no scheme check, so a crafted.docxcould render ajavascript:link into the app originsanitizeRenderedHyperlinks(reusing the same http/https/mailto allowlist already used by the PPTX renderer) and run it on the rendered DOM right afterrenderAsynccompletes#section) are left intact; surviving external links getrel="noopener noreferrer"isAllowedExternalUrlallowlist fromlib/pptx-renderer/utilstolib/core/securitysince it's now used by both renderers/f/[token]share page, which reuse the same componentType of Change
Testing
sanitizeRenderedHyperlinkscoveringjavascript:,data:,vbscript:stripping, bookmark preservation, and allowed-link passthroughChecklist