Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid rendering JavaScript URLs as clickable links #47

Merged
merged 2 commits into from
Apr 25, 2024
Merged

Avoid rendering JavaScript URLs as clickable links #47

merged 2 commits into from
Apr 25, 2024

Conversation

bernhard-herzog
Copy link
Contributor

To avoid running JavaScript taken from JSON files downloaded from the internet in the client we now try to render URLs only as clickable links if the protocol of the URL is safe, which more concretely means HTTP or HTTPS. Other URLs are rendered as plain text. This commit only covers links that are obviously treated as links to external resources.

To avoid duplication, this introduces a new component, SafeLink, that takes the URL and optionally id and target attributes and renders a suitable a-element if the protocol is safe and text otherwise.

Fixes #45

@bernhard-herzog
Avoid rendering JavaScript URLs as clickable links
1f72bae 
To avoid running JavaScript taken from JSON files downloaded from the
internet in the client we now try to render URLs only as clickable links
if the protocol of the URL is safe, which more concretely means HTTP or
HTTPS. Other URLs are rendered as plain text. This commit only covers
links that are obviously treated as links to external resources.

To avoid duplication, this introduces a new component, SafeLink, that
takes the URL and optionally id and target attributes and renders a
suitable a-element if the protocol is safe and text otherwise.
@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 24, 2024
edited
Loading

Coverage Report

Status Category Percentage Covered / Total
🟢 Lines 87.82% (🎯 60%) 202 / 230
🟢 Statements 87.98% (🎯 60%) 227 / 258
🟢 Functions 94.23% (🎯 60%) 49 / 52
🟢 Branches 84.93% (🎯 60%) 124 / 146
File CoverageNo changed files found.
Generated in workflow #22

@bernhardreiter
Copy link
Contributor

@bernhard-herzog as we are going to Apache-2.0, see #46 can you change the License to Apache-2.0 for the new files already.

@ThomasJunk ThomasJunk requested a review from cintek April 24, 2024 11:07
ThomasJunk
ThomasJunk approved these changes Apr 24, 2024
View reviewed changes
Copy link
Contributor

@ThomasJunk ThomasJunk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

cintek
cintek approved these changes Apr 24, 2024
View reviewed changes
Copy link

@cintek cintek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ThomasJunk
Copy link
Contributor

@bernhard-herzog if you change the license we could merge

@bernhard-herzog
Use Apache-2.0 as the license in src/lib/SafeLink.svelte
03f2172 
This is in preparation of the move to Apache-2.0 discussed in csaf-poc#46
@ThomasJunk ThomasJunk merged commit 51c6e75 into csaf-poc:main Apr 25, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cintek cintek cintek approved these changes

@ThomasJunk ThomasJunk ThomasJunk approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

JavaScript URLs should not be clickable
4 participants
@bernhard-herzog @bernhardreiter @ThomasJunk @cintek