hiro/tridactyl
1
0
Fork 0
mirror of https://github.com/vale981/tridactyl synced 2025-03-06 10:01:39 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

html-tagged-template.js: Authorize more protocols

Browse source 
https://github.com/straker/html-tagged-template/issues/26 discusses
authorizing the data:// protocol. The gist of it is that it's dangerous
because data:text/html can be used for XSS attacks. We circumvent this
problem by only explicitly allowing a few image formats formatted as
base64.
This commit is contained in:
glacambre 2019-01-18 19:20:21 +01:00
parent d1ce62ec6d
commit 3ddf350dc0
No known key found for this signature in database
GPG key ID: B9625DB1767553AC
1 changed files with 17 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
src/lib/html-tagged-template.js
View file

@ -457,14 +457,24 @@
substitutionValue.indexOf(":") !== substitutionValue.indexOf(":") !==
-1 -1
) { ) {
let protocol = substitutionValue.substring( const authorized_protocols = [
0, "http://",
5, "https://",
) "moz-extension://",
"about://",
"data:image/png;base64",
"data:image/gif;base64",
"data:image/jpg;base64",
"data:image/jpeg;base64",
"data:image/x-icon;base64",
]
// If substitutionValue doesn't start with any of the authorized protocols
if ( if (
protocol.indexOf("http") === !authorized_protocols.find(p =>
-1 && substitutionValue.startsWith(
protocol.indexOf("moz-") == -1 p,
),
)
) { ) {
isRejected = true isRejected = true
} }