From d4571395467aeb1c046896e7693a41b43dfef94b Mon Sep 17 00:00:00 2001
From: Grant <149294029+gtsp233@users.noreply.github.com>
Date: Mon, 22 Jan 2024 02:44:11 -0500
Subject: [PATCH] Validate URL to prevent XSS

---
 packages/yoga/src/Header/web/Header.jsx | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/packages/yoga/src/Header/web/Header.jsx b/packages/yoga/src/Header/web/Header.jsx
index 9c40a2063d..4c32d2a3f8 100644
--- a/packages/yoga/src/Header/web/Header.jsx
+++ b/packages/yoga/src/Header/web/Header.jsx
@@ -26,7 +26,12 @@ const StyledHeader = styled(Box)`
   `}
 `;
 
-const Header = ({ link, logo, children, ...props }) => {
+const Header = ({ link, logo, children, allowJavaScriptUrls = True, ...props }) => {
+  const isJavaScriptProtocol = /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i
+    if (isJavaScriptProtocol.test(link) && !allowJavaScriptUrls) {
+      console.warn(`Header has blocked a javascript: URL as a security precaution`);
+      return null;
+  }
   return (
     <StyledHeader
       as="header"