feat: validate URL schemes in Anchor, IFrame and Page#open (#24539, #24897) (CP: 25.1)#24924
Conversation
…CP: 25.2) (#24588) This PR cherry-picks changes from the original PR #24539 to branch 25.2. --- #### Original PR description > Re-introduce URL-scheme validation for link and navigation sinks after the revert of #24371, using application-wide configuration plus a per-instance opt-out instead of the previous thread-unsafe static setter. > > Safe schemes are read from the new com.vaadin.safeUrlSchemes (InitParameters.URL_SAFE_SCHEMES) configuration property, defaulting to http, https, mailto, tel and ftp so that script-capable schemes such as javascript and data are rejected. Setting the property to "*" marks every scheme as safe and keeps the previous behaviour. Relative URLs are always considered safe; the scheme is extracted manually rather than via URI parsing so that valid relative URLs (e.g. containing spaces) are not falsely rejected. > > For trusted, hard-coded URLs whose scheme is not configured as safe, each sink offers an unsafe variant that bypasses validation: Anchor#setUnsafeHref, IFrame#setUnsafeSrc and Page#openUnsafe. > Co-authored-by: Artur Signell <artur@vaadin.com> Co-authored-by: Anton Platonov <platosha@gmail.com> Co-authored-by: Anton Platonov <anton@vaadin.com> (cherry picked from commit fc47f4a)
`InitParameters.URL_SAFE_SCHEMES` used the value `com.vaadin.safeUrlSchemes`, which is inconsistent with every other parameter in the class — none of them carry a `com.vaadin.` prefix. Since the parameter already shipped in 25.2.1, the old name must keep working to avoid breaking existing configurations. Change the canonical value to `safeUrlSchemes` and add a deprecated `URL_SAFE_SCHEMES_LEGACY` constant holding the previous value. `AbstractDeploymentConfiguration#getUrlSafeSchemes` now reads the new name first and falls back to the legacy name, with the new name taking precedence when both are present. (cherry picked from commit bdce786)
Adjust the implementation for defaults when "safeUrlSchemes" configuration is missing, so that URL validation is disabled by default, and all URLs are considered safe. This avoids unexpected behavior changes for existing users of Flow 25.1 and below. URL scheme validation could be enabled with configuration when necessary.
|
@mcollovati I also removed |
mcollovati
left a comment
There was a problem hiding this comment.
Current AnchorTest and IFrameTest need to be refactored to mock a strict 25.2 like config and improved with tests asserting exception is not thrown by default
|
|
Hi @platosha and @mcollovati, when i performed cherry-pick to this commit to 24.10, i have encountered the following issue. Can you take a look and pick it manually? |
|
Hi @platosha and @mcollovati, when i performed cherry-pick to this commit to 25.0, i have encountered the following issue. Can you take a look and pick it manually? |
|
Hi @platosha and @mcollovati, when i performed cherry-pick to this commit to 24.9, i have encountered the following issue. Can you take a look and pick it manually? |


This PR cherry-picks changes from the original PRs #24539 and #24897 to branch 25.1, and also disables the validation by default.
The defaults when "safeUrlSchemes" configuration is missing is adjusted, so that URL validation is disabled by default, and all URLs are considered safe. This avoids unexpected behavior changes for existing users of Flow 25.1 and below.
The URL scheme validation feature could be enabled with configuration when necessary.