浏览代码

Added mailto protocol to safe list

Ariel Fuggini 5 年之前
父节点
当前提交
c70a256eb1
共有 2 个文件被更改,包括 7 次插入1 次删除
  1. 6 0
      spec/xss.js
  2. 1 1
      src/utils/html.js

+ 6 - 0
spec/xss.js

@@ -218,6 +218,9 @@ describe("XSS", function () {
             }, {
             }, {
                 entered: 'WWW.SOMETHING.COM/?x=dKasdDAsd4JAsd3OAJSD23osajAidj',
                 entered: 'WWW.SOMETHING.COM/?x=dKasdDAsd4JAsd3OAJSD23osajAidj',
                 href: 'http://WWW.SOMETHING.COM/?x=dKasdDAsd4JAsd3OAJSD23osajAidj',
                 href: 'http://WWW.SOMETHING.COM/?x=dKasdDAsd4JAsd3OAJSD23osajAidj',
+            }, {
+                entered: 'mailto:test@mail.org',
+                href: 'mailto:test@mail.org',
             }];
             }];
 
 
             function checkNonParsedURL (url) {
             function checkNonParsedURL (url) {
@@ -259,6 +262,9 @@ describe("XSS", function () {
             await mock.sendMessage(view, good_urls[4].entered);
             await mock.sendMessage(view, good_urls[4].entered);
             checkParsedURL(good_urls[4]);
             checkParsedURL(good_urls[4]);
 
 
+            await mock.sendMessage(view, good_urls[5].entered);
+            checkParsedURL(good_urls[5]);
+
             done();
             done();
         }));
         }));
     });
     });

+ 1 - 1
src/utils/html.js

@@ -22,7 +22,7 @@ import tpl_video from "../templates/video.js";
 import u from "../headless/utils/core";
 import u from "../headless/utils/core";
 
 
 const URL_REGEX = /\b(https?\:\/\/|www\.|https?:\/\/www\.)[^\s<>]{2,200}\b\/?/g;
 const URL_REGEX = /\b(https?\:\/\/|www\.|https?:\/\/www\.)[^\s<>]{2,200}\b\/?/g;
-const APPROVED_URL_PROTOCOLS = ['http', 'https', 'xmpp'];
+const APPROVED_URL_PROTOCOLS = ['http', 'https', 'xmpp', 'mailto'];
 
 
 function getAutoCompleteProperty (name, options) {
 function getAutoCompleteProperty (name, options) {
     return {
     return {