Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent getSelector from returning URLs as selector #32586

Merged
merged 11 commits into from Feb 3, 2021
+36 −1
Merged

Prevent getSelector from returning URLs as selector #32586

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
20fca9b
added checks to getSelector in util to prevent returning hrefs that a…
Dec 21, 2020
24fe99c
restored compatibility for the class selector and added test cases fo…
Dec 22, 2020
d5f340d
Merge branch 'main' into 32273-dropdown-item-error-with-external-link
RoflCopter24 Dec 22, 2020
9540d6c
Code review: merge null check into following condition
Dec 22, 2020
0896531
Merge branch 'main' into 32273-dropdown-item-error-with-external-link
RoflCopter24 Dec 22, 2020
7883619
Update index.spec.js
XhmikosR Dec 29, 2020
82b1274
Merge branch 'main' into 32273-dropdown-item-error-with-external-link
XhmikosR Jan 28, 2021
2349e56
Update index.js
XhmikosR Jan 30, 2021
9636ebf
Merge branch 'main' into 32273-dropdown-item-error-with-external-link
RoflCopter24 Feb 1, 2021
c8629a7
Update index.js
XhmikosR Feb 3, 2021
544c852
Merge branch 'main' into 32273-dropdown-item-error-with-external-link
XhmikosR Feb 3, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
18 changes: 17 additions & 1 deletion js/src/util/index.js
View file
Open in desktop
Expand Up @@ -36,7 +36,23 @@ const getSelector = element => {
let selector = element.getAttribute('data-bs-target')

if (!selector || selector === '#') {
const hrefAttr = element.getAttribute('href')
let hrefAttr = element.getAttribute('href')

if (!hrefAttr) {
return null
}

// The only valid content that could double as a selector are ids, so everything starting with . or #
// If a 'real' url is used as the selector, document.querySelector will rightfully
// complain it is invalid. (see twbs#32273)
if (!hrefAttr.includes('#') && !hrefAttr.startsWith('.')) {
RoflCopter24 marked this conversation as resolved.
Show resolved Hide resolved
return null
}

// just in case some cms put out a full url with the anchor appended
if (hrefAttr.includes('#') && !hrefAttr.startsWith('#')) {
hrefAttr = '#' + hrefAttr.split('#')[1]
}

selector = hrefAttr && hrefAttr !== '#' ? hrefAttr.trim() : null
}
Expand Down
22 changes: 22 additions & 0 deletions js/tests/unit/util/index.spec.js
View file
Open in desktop
Expand Up @@ -57,6 +57,28 @@ describe('Util', () => {
expect(Util.getSelectorFromElement(testEl)).toEqual('.target')
})

it('should return null if a selector from a href is an url without an anchor', () => {
fixtureEl.innerHTML = [
'<a id="test" data-bs-target="#" href="foo/bar.html"></a>',
'<div class="target"></div>'
].join('')

const testEl = fixtureEl.querySelector('#test')

expect(Util.getSelectorFromElement(testEl)).toBeNull()
})

it('should return the anchor if a selector from a href is an url', () => {
fixtureEl.innerHTML = [
'<a id="test" data-bs-target="#" href="foo/bar.html#target"></a>',
'<div id="target"></div>'
].join('')

const testEl = fixtureEl.querySelector('#test')

expect(Util.getSelectorFromElement(testEl)).toEqual('#target')
})

it('should return null if selector not found', () => {
fixtureEl.innerHTML = '<a id="test" href=".target"></a>'

Expand Down