sanitize link-click event that uses shell.openExternal function

[cloverich]

Related: #297

See this Electron explanation

To allow users to click a link rendered in markdown, and have it open an external browser, I provde this functionality:

// in renderer process:
function externalLinksListener(event: any) {
  // hopefully only relevent on <a href="..."> elements
  if (event.target.tagName !== 'A') return;

  const link = event.target.getAttribute('href');
  // don't navigate the main window to an external url
  event.preventDefault();

  // if its not a reference link, open an external browser:
  if (link && link.indexOf('#') !== 0) {
    ipcRenderer.send('link-click', link);
  }
}


// in main process:

// Open browser windows on link-click, an event triggered by renderer process.
ipcMain.on('link-click', (event: any, link: string) => {
  shell.openExternal(link);
});

This works but presents a security issue: if the content is untrusted, the openExternal call could open any program, even a terminal: RCE. Some thoughts:

• allow user to optionally disable this behavior
• validate that the link is a valid web url; disable opening any other kind of application
• ???

I decided to leave it enabled for now, because to work it would at least require the user to copy and paste a malicious link. If I allow html (etc.) in the editor, technically it could also be a script that fires a link click event.

[cloverich]

it would at least require the user to copy and paste a malicious link. If I allow html (etc.) in the editor, technically it could also be a script that fires a link click event.

Also any of the included dependencies (transitive) could trigger this behavior.