From 805a1100d78896d3773797f9cf7916084d455adf Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@owncloud.com>
Date: Tue, 2 Dec 2014 16:43:21 +0100
Subject: [PATCH] Prevent hyperlink handler for potential dangerous URIs

This prevents the user from clicking on URIs starting with `javascript:` or `data:`. The reason behind this is that this may be used to trick users in executing dangerous JS when viewing an untrusted document. (which is the case in our deployment for ownCloud)

I'm not absolutely happy with that patch since it uses a blacklisting instead a whitelisting approach, but I consider it a feasible approach. Especially, considering all the possible values. (`mailto:foo@bar.com`, `ftp://`, `skype://`, etc...)
---
 ChangeLog.md                            | 1 +
 webodf/lib/gui/HyperlinkClickHandler.js | 9 +++++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/ChangeLog.md b/ChangeLog.md
index 4df6f6d2c..995995bae 100644
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -11,6 +11,7 @@ See also section about WebODF
 
 * Fix wrongly enabled hyperlink tools with no document loaded ([#833](https://github.com/kogmbh/WebODF/pull/833))
 * Prevent Cross-Site Scripting from style names and font names ([#849](https://github.com/kogmbh/WebODF/pull/849)))
+* Prevent Cross-Site Scripting from links ([#850](https://github.com/kogmbh/WebODF/pull/850)))
 
 # Changes between 0.5.3 and 0.5.4
 
diff --git a/webodf/lib/gui/HyperlinkClickHandler.js b/webodf/lib/gui/HyperlinkClickHandler.js
index 629df54ee..ffa98ce4d 100644
--- a/webodf/lib/gui/HyperlinkClickHandler.js
+++ b/webodf/lib/gui/HyperlinkClickHandler.js
@@ -115,8 +115,13 @@ gui.HyperlinkClickHandler = function HyperlinkClickHandler(getContainer, keyDown
                 bookmarks[0].scrollIntoView(true);
             }
         } else {
-            // Ask the browser to open the link in a new window.
-            window.open(url);
+            // Ask the browser to open the link in a new window. `javascript` and `data` URIs are disabled for
+            // security reasons.
+            if(/^(javascript|data):/i.test(url)) {
+                runtime.log("WARN:", "potentially malicious URL ignored");
+            } else {
+                window.open(url);
+            }
         }
 
         if (e.preventDefault) {