Skip to content

feat: validate URL schemes in Anchor, IFrame and Page#open (#24539, #24897) (CP: 25.1)#24924

Merged
mcollovati merged 8 commits into
25.1from
fix/25.1-url-validation
Jul 8, 2026
Merged

feat: validate URL schemes in Anchor, IFrame and Page#open (#24539, #24897) (CP: 25.1)#24924
mcollovati merged 8 commits into
25.1from
fix/25.1-url-validation

Conversation

@platosha

@platosha platosha commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

This PR cherry-picks changes from the original PRs #24539 and #24897 to branch 25.1, and also disables the validation by default.

The defaults when "safeUrlSchemes" configuration is missing is adjusted, so that URL validation is disabled by default, and all URLs are considered safe. This avoids unexpected behavior changes for existing users of Flow 25.1 and below.

The URL scheme validation feature could be enabled with configuration when necessary.

vaadin-bot and others added 3 commits July 7, 2026 13:37
…CP: 25.2) (#24588)

This PR cherry-picks changes from the original PR #24539 to branch 25.2.
---
#### Original PR description
> Re-introduce URL-scheme validation for link and navigation sinks after
the revert of #24371, using application-wide configuration plus a
per-instance opt-out instead of the previous thread-unsafe static
setter.
>
> Safe schemes are read from the new com.vaadin.safeUrlSchemes
(InitParameters.URL_SAFE_SCHEMES) configuration property, defaulting to
http, https, mailto, tel and ftp so that script-capable schemes such as
javascript and data are rejected. Setting the property to "*" marks
every scheme as safe and keeps the previous behaviour. Relative URLs are
always considered safe; the scheme is extracted manually rather than via
URI parsing so that valid relative URLs (e.g. containing spaces) are not
falsely rejected.
>
> For trusted, hard-coded URLs whose scheme is not configured as safe,
each sink offers an unsafe variant that bypasses validation:
Anchor#setUnsafeHref, IFrame#setUnsafeSrc and Page#openUnsafe.
>

Co-authored-by: Artur Signell <artur@vaadin.com>
Co-authored-by: Anton Platonov <platosha@gmail.com>
Co-authored-by: Anton Platonov <anton@vaadin.com>
(cherry picked from commit fc47f4a)
`InitParameters.URL_SAFE_SCHEMES` used the value
`com.vaadin.safeUrlSchemes`, which is inconsistent with every other
parameter in the class — none of them carry a `com.vaadin.` prefix.
Since the parameter already shipped in 25.2.1, the old name must keep
working to avoid breaking existing configurations.

Change the canonical value to `safeUrlSchemes` and add a deprecated
`URL_SAFE_SCHEMES_LEGACY` constant holding the previous value.
`AbstractDeploymentConfiguration#getUrlSafeSchemes` now reads the new
name first and falls back to the legacy name, with the new name taking
precedence when both are present.

(cherry picked from commit bdce786)
Adjust the implementation for defaults when "safeUrlSchemes" configuration is missing, so that URL validation is disabled by default, and all URLs are considered safe. This avoids unexpected behavior changes for existing users of Flow 25.1 and below.

URL scheme validation could be enabled with configuration when necessary.
@platosha platosha changed the title fix/25.1 url validation feat: validate URL schemes in Anchor, IFrame and Page#open (#24539) (CP: 25.1) Jul 7, 2026
@platosha platosha changed the title feat: validate URL schemes in Anchor, IFrame and Page#open (#24539) (CP: 25.1) feat: validate URL schemes in Anchor, IFrame and Page#open (#24539, #24897) (CP: 25.1) Jul 7, 2026
@platosha platosha requested a review from mcollovati July 7, 2026 11:57
@platosha platosha added the target/25.0 Cherry-pick to 25.0 branch label Jul 7, 2026
@github-actions github-actions Bot added the +0.1.0 label Jul 7, 2026
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown

Test Results

 1 398 files  ± 0   1 398 suites  ±0   1h 30m 31s ⏱️ +22s
10 105 tests +30  10 035 ✅ +30  70 💤 ±0  0 ❌ ±0 
10 580 runs  +30  10 501 ✅ +30  79 💤 ±0  0 ❌ ±0 

Results for commit 0429050. ± Comparison against base commit 149bf7c.

♻️ This comment has been updated with latest results.

Comment thread flow-server/src/main/java/com/vaadin/flow/server/InitParameters.java Outdated
@platosha

platosha commented Jul 7, 2026

Copy link
Copy Markdown
Contributor Author

@mcollovati I also removed Constants.DEFAULT_URL_SAFE_SCHEMES, as it seems confusing with actual defaults being different here.

@mcollovati mcollovati left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Current AnchorTest and IFrameTest need to be refactored to mock a strict 25.2 like config and improved with tests asserting exception is not thrown by default

@sonarqubecloud

sonarqubecloud Bot commented Jul 8, 2026

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

@vaadin-bot

Copy link
Copy Markdown
Collaborator

Hi @platosha and @mcollovati, when i performed cherry-pick to this commit to 24.10, i have encountered the following issue. Can you take a look and pick it manually?
Error Message:
Error: Command failed: git cherry-pick 28e55a3
error: could not apply 28e55a3... feat: validate URL schemes in Anchor, IFrame and Page#open (#24539, #24897) (CP: 25.1) (#24924)
hint: After resolving the conflicts, mark them with
hint: "git add/rm ", then run
hint: "git cherry-pick --continue".
hint: You can instead skip this commit with "git cherry-pick --skip".
hint: To abort and get back to the state before "git cherry-pick",
hint: run "git cherry-pick --abort".

@vaadin-bot

Copy link
Copy Markdown
Collaborator

Hi @platosha and @mcollovati, when i performed cherry-pick to this commit to 25.0, i have encountered the following issue. Can you take a look and pick it manually?
Error Message:
Error: Command failed: git cherry-pick 28e55a3
error: could not apply 28e55a3... feat: validate URL schemes in Anchor, IFrame and Page#open (#24539, #24897) (CP: 25.1) (#24924)
hint: After resolving the conflicts, mark them with
hint: "git add/rm ", then run
hint: "git cherry-pick --continue".
hint: You can instead skip this commit with "git cherry-pick --skip".
hint: To abort and get back to the state before "git cherry-pick",
hint: run "git cherry-pick --abort".

@vaadin-bot

Copy link
Copy Markdown
Collaborator

Hi @platosha and @mcollovati, when i performed cherry-pick to this commit to 24.9, i have encountered the following issue. Can you take a look and pick it manually?
Error Message:
Error: Command failed: git cherry-pick 28e55a3
error: could not apply 28e55a3... feat: validate URL schemes in Anchor, IFrame and Page#open (#24539, #24897) (CP: 25.1) (#24924)
hint: After resolving the conflicts, mark them with
hint: "git add/rm ", then run
hint: "git cherry-pick --continue".
hint: You can instead skip this commit with "git cherry-pick --skip".
hint: To abort and get back to the state before "git cherry-pick",
hint: run "git cherry-pick --abort".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants