Strona główna Odkrywaj Pomoc
Zaloguj się
wpfat23-7
/
RiffMaster_WPFaT2023_Project
1
0
Forkuj 0
Pliki Problemy 0 Oczekujące zmiany 0 Wiki
Drzewo: c904a8e516
Gałęzie Tagi
RiffMaster_WPFa...
/
Frontend
/
RiffMasterFront
/
node_modules
/
safevalues
/
builders
/
url_sanitizer.mjs

url_sanitizer.mjs 2.2 KB
Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566 
  1. /**
    2. 

  2.  * @license
    3. 

  3.  * SPDX-License-Identifier: Apache-2.0
    4. 

  4.  */
    5. 

  5. /**
    6. 

  6.  * @fileoverview Provides functions to enforce the SafeUrl contract at the sink
    7. 

  7.  * level.
    8. 

  8.  */
    9. 

  9. import '../environment/dev';
    10. 

  10. function extractScheme(url) {
    11. 

  11.     let parsedUrl;
    12. 

  12.     try {
    13. 

  13.         parsedUrl = new URL(url);
    14. 

  14.     }
    15. 

  15.     catch (e) {
    16. 

  16.         // According to https://url.spec.whatwg.org/#constructors, the URL
    17. 

  17.         // constructor with one parameter throws if `url` is not absolute. In this
    18. 

  18.         // case, we are sure that no explicit scheme (javascript: ) is set.
    19. 

  19.         // This can also be a URL parsing error, but in this case the URL won't be
    20. 

  20.         // run anyway.
    21. 

  21.         return 'https:';
    22. 

  22.     }
    23. 

  23.     return parsedUrl.protocol;
    24. 

  24. }
    25. 

  25. // We can't use an ES6 Set here because gws somehow depends on this code and
    26. 

  26. // doesn't want to pay the cost of a polyfill.
    27. 

  27. const ALLOWED_SCHEMES = ['data:', 'http:', 'https:', 'mailto:', 'ftp:'];
    28. 

  28. /**
    29. 

  29.  * Checks that the URL scheme is not javascript.
    30. 

  30.  * The URL parsing relies on the URL API in browsers that support it.
    31. 

  31.  * @param url The URL to sanitize for a SafeUrl sink.
    32. 

  32.  * @return undefined if url has a javascript: scheme, the original URL
    33. 

  33.  *     otherwise.
    34. 

  34.  */
    35. 

  35. export function sanitizeJavascriptUrl(url) {
    36. 

  36.     const parsedScheme = extractScheme(url);
    37. 

  37.     if (parsedScheme === 'javascript:') {
    38. 

  38.         if (process.env.NODE_ENV !== 'production') {
    39. 

  39.             console.error(`A URL with content '${url}' was sanitized away.`);
    40. 

  40.         }
    41. 

  41.         return undefined;
    42. 

  42.     }
    43. 

  43.     return url;
    44. 

  44. }
    45. 

  45. /**
    46. 

  46.  * Adapter to sanitize string URLs in DOM sink wrappers.
    47. 

  47.  * @return undefined if the URL was sanitized.
    48. 

  48.  */
    49. 

  49. export function unwrapUrlOrSanitize(url) {
    50. 

  50.     return sanitizeJavascriptUrl(url);
    51. 

  51. }
    52. 

  52. /**
    53. 

  53.  * Sanitizes a URL restrictively.
    54. 

  54.  * This sanitizer protects against XSS and potentially other uncommon and
    55. 

  55.  * undesirable schemes that an attacker could use for e.g. phishing (tel:,
    56. 

  56.  * callto: ssh: etc schemes). This sanitizer is primarily meant to be used by
    57. 

  57.  * the HTML sanitizer.
    58. 

  58.  */
    59. 

  59. export function restrictivelySanitizeUrl(url) {
    60. 

  60.     const parsedScheme = extractScheme(url);
    61. 

  61.     if (parsedScheme !== undefined &&
    62. 

  62.         ALLOWED_SCHEMES.indexOf(parsedScheme.toLowerCase()) !== -1) {
    63. 

  63.         return url;
    64. 

  64.     }
    65. 

  65.     return 'about:invalid#zClosurez';
    66. 

  66. }
    67.