Prevent hyperlink handler for potential dangerous URIs

This prevents the user from clicking on URIs starting with `javascript:` or `data:`. The reason behind this is that this may be used to trick users in executing dangerous JS when viewing an untrusted document. (which is the case in our deployment for ownCloud) I'm not absolutely happy with that patch since it uses a blacklisting instead a whitelisting approach, but I consider it a feasible approach. Especially, considering all the possible values. (`mailto:foo@bar.com`, `ftp://`, `skype://`, etc...)
webodf · Dec 3, 2014 · 805a110 · 805a110
1 parent 4b06c28
commit 805a110
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -11,6 +11,7 @@ See also section about WebODF
 
 * Fix wrongly enabled hyperlink tools with no document loaded ([#833](https://github.com/kogmbh/WebODF/pull/833))
 * Prevent Cross-Site Scripting from style names and font names ([#849](https://github.com/kogmbh/WebODF/pull/849)))
+* Prevent Cross-Site Scripting from links ([#850](https://github.com/kogmbh/WebODF/pull/850)))
 
 # Changes between 0.5.3 and 0.5.4
 

diff --git a/webodf/lib/gui/HyperlinkClickHandler.js b/webodf/lib/gui/HyperlinkClickHandler.js
@@ -115,8 +115,13 @@ gui.HyperlinkClickHandler = function HyperlinkClickHandler(getContainer, keyDown
                 bookmarks[0].scrollIntoView(true);
             }
         } else {
-            // Ask the browser to open the link in a new window.
-            window.open(url);
+            // Ask the browser to open the link in a new window. `javascript` and `data` URIs are disabled for
+            // security reasons.
+            if(/^(javascript|data):/i.test(url)) {
+                runtime.log("WARN:", "potentially malicious URL ignored");
+            } else {
+                window.open(url);
+            }
         }
 
         if (e.preventDefault) {