fix(extension-link): use whitelist for allowed href values #5160
Conversation
✅ Deploy Preview for tiptap-embed ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
Thanks to all for their work on this. Based on the code I imagine that this properly prevents Is this (or will this be) backported to older versions? |
|
Can anyone advise whether this will be backported? I understand the desire is probably not to continue maintaining older versions, but with this being a security issue and a number of outstanding issues blocking upgrade paths, I think it should be planned to be backported at least a few versions. |
#### What type of PR is this? /kind improvement /area editor /milestone 2.17.x #### What this PR does / why we need it: 在用户设置 iframe 相关的 src 时,检测设置的链接是否符合白名单。如果不符合则不允许设置。 see ueberdosis/tiptap#5160 #### How to test it? 测试在 iframe 中的 src 输入 `javascript: alert("1")` 时是否会触发 javascript #### Does this PR introduce a user-facing change? ```release-note 处理默认编辑器中 iframe 标签的 src 属性可能存在的风险 ```
Changes Overview
Link href values needs to be sanitized to not result in XSS vulnerabilities.
Implementation Approach
Link href values only allows whitelisted patterns for url, that are known to not be dangerous.
Testing Done
The link extension spec has been updated to cover both positive and negative tests.
Verification Steps
Link extension still functions as expected when testing with valid links, such as relative, absolute, with different schemes etc.
Additional Notes
Checklist
feat: Implement new featureorchore(deps): Update dependencies)Related Issues