From b76df324eaaddda878447fa056a444a390a687f7 Mon Sep 17 00:00:00 2001
From: Matt Oberle <matt.r.oberle@gmail.com>
Date: Wed, 11 Nov 2020 13:30:31 -0500
Subject: [PATCH] protects against invalid Quill links

The default behavior when parsing a link in Quill:

1. Check if link matches a list of valid protocols.
2. If not, change link text to `about:blank`.

Kiln wraps the `Link.sanitize` function to prepend `http://` in front
of any link missing a protocol.

As a result we can end up with invalid links like this:

```
"http://one two three"
```

This commit preserves the convenience factor of not **requiring** end
users to enter a protocol, but validates that the link produced is a
valid URL. Invalid URLs will revert to `about:blank`.

This commit also changes the default protocol to `https://` which is a
reasonable expectation and more secure default.
---
 inputs/wysiwyg.vue | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/inputs/wysiwyg.vue b/inputs/wysiwyg.vue
index d8c18e49a..1b9470106 100644
--- a/inputs/wysiwyg.vue
+++ b/inputs/wysiwyg.vue
@@ -170,10 +170,18 @@
   Link.sanitize = (value) => {
     if (!(/^\w+:/).test(value) && !(/^#/).test(value)) {
       // no protocol, and the link doesn't start with a hash (in-page links),
-      // so add http://
+      // so add https://
       // note: links that start with // are an antipattern, and this will NOT handle them
       // https://jeremywagner.me/blog/stop-using-the-protocol-relative-url
-      value = `http://${value}`;
+      value = `https://${value}`;
+
+      // modified links that still don't pass for valid urls will default to
+      // the default quill behavior (using about:blank)
+      try {
+        new URL(value);
+      } catch (err) {
+        value = 'about:blank';
+      }
     }
 
     return originalLinkSanitize.call(Link, value);