diff options
author | Mathias Bynens <mathias@chromium.org> | 2019-11-20 12:59:44 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-03-24 08:16:02 +0000 |
commit | 09277a67339d27943461b821d91170a37726fdc0 (patch) | |
tree | 75d09cf0d2bd338d282148cc43ebe0f359656282 | |
parent | 442f3b6715dad10b449c073744a949b304916a8d (diff) | |
download | qtwebengine-chromium-09277a67339d27943461b821d91170a37726fdc0.tar.gz |
[Backport] Security bug 1026293
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/devtools/devtools-frontend/+/1925056:
Harden XLink defense-in-depth
This patch leverages the native `URL` API for URL parsing and
validation for XLink components. It also ensures XLinks get
rel=noopener.
Bug: chromium:1026293
Change-Id: Iad274bbde5d2ad9f0d8b22f35f3e36cba2aa76f1
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/devtools/front_end/ui/XLink.js | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/chromium/third_party/blink/renderer/devtools/front_end/ui/XLink.js b/chromium/third_party/blink/renderer/devtools/front_end/ui/XLink.js index a29a72afdc3..548944b569a 100644 --- a/chromium/third_party/blink/renderer/devtools/front_end/ui/XLink.js +++ b/chromium/third_party/blink/renderer/devtools/front_end/ui/XLink.js @@ -31,7 +31,8 @@ UI.XLink = class extends UI.XElement { this.style.setProperty('display', 'inline'); UI.ARIAUtils.markAsLink(this); this.tabIndex = 0; - this.setAttribute('target', '_blank'); + this.target = '_blank'; + this.rel = 'noopener'; /** @type {?string} */ this._href = null; @@ -71,11 +72,20 @@ UI.XLink = class extends UI.XElement { } if (attr === 'href') { - let href = newValue; - if (newValue.trim().toLowerCase().startsWith('javascript:')) - href = null; - if (Common.ParsedURL.isRelativeURL(newValue)) + // For invalid or non-absolute URLs, `href` should remain `null`. + if (!newValue) { + newValue = ''; + } + let href = null; + let url = null; + try { + url = new URL(newValue); + href = url.toString(); + } catch (error) { + } + if (url && url.protocol === 'javascript:') { href = null; + } this._href = href; this.title = newValue; |