Prevent javascript:// URLs from linking in text fields.
Review Request #896 — Created Oct. 2, 2017 and updated — Latest diff uploaded
Information | |
---|---|
guest5951 | |
Review Board | |
157dbe0... | |
Reviewers | |
guest8527 |
When rendering text for text fields, we attempt to turn anything that looks like a link into an actual link, to make it easier to navigate to any referenced URLs. However, this logic also catches `javascript://` URLs, which can be used to execute code from within the context of the page. This change moves to a URI scheme whitelist, allowing safe URLs to be opened, while disallowing everything else (including `javascript:` URLs). This prevents users from accidentally clicking a malicious link. The major types of schemes people care about are whitelisted, along with a few more obscure ones (including `gopher://`, why not). It's easy to add more supported types to the whitelist. We don't need to guard against malicious URLs in Markdown links, as Python-Markdown already whitelists schemes itself. Testing Done: Unit tests pass. Manually tested a variety of supported and unsupported URLs, to check that linking was working correctly. Reviewed at https://reviews.reviewboard.org/r/9160/