hiro/tridactyl
1
0
Fork 0
mirror of https://github.com/vale981/tridactyl synced 2025-03-06 01:51:40 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

html-tagged-template.js: Authorize more protocols

Browse source 
https://github.com/straker/html-tagged-template/issues/26 discusses
authorizing the data:// protocol. The gist of it is that it's dangerous
because data:text/html can be used for XSS attacks. We circumvent this
problem by only explicitly allowing a few image formats formatted as
base64.
This commit is contained in:
glacambre 2019-01-18 19:20:21 +01:00
parent d1ce62ec6d
commit 3ddf350dc0
No known key found for this signature in database
GPG key ID: B9625DB1767553AC
1 changed files with 17 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
src/lib/html-tagged-template.js
View file

@ -457,14 +457,24 @@
substitutionValue.indexOf(":") !==
-1
) {
let protocol = substitutionValue.substring(
0,
5,
)
const authorized_protocols = [
"http://",
"https://",
"moz-extension://",
"about://",
"data:image/png;base64",
"data:image/gif;base64",
"data:image/jpg;base64",
"data:image/jpeg;base64",
"data:image/x-icon;base64",
]
// If substitutionValue doesn't start with any of the authorized protocols
if (
protocol.indexOf("http") ===
-1 &&
protocol.indexOf("moz-") == -1
!authorized_protocols.find(p =>
substitutionValue.startsWith(
p,
),
)
) {
isRejected = true
}