From 5d721d6f4c6930453255f473970ac355177a093b Mon Sep 17 00:00:00 2001 From: alexcjohnson Date: Tue, 23 May 2017 09:53:57 -0400 Subject: [PATCH 1/2] add empty protocol to link whitelist for IE relative links --- src/lib/svg_text_utils.js | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/lib/svg_text_utils.js b/src/lib/svg_text_utils.js index 61a992f8188..974bea9a264 100644 --- a/src/lib/svg_text_utils.js +++ b/src/lib/svg_text_utils.js @@ -252,7 +252,13 @@ var TAG_CLOSE = { sub: '' }; -var PROTOCOLS = ['http:', 'https:', 'mailto:']; +/* + * Whitelist of protocols in user-supplied urls. Mostly we want to avoid javascript + * and related attack vectors. The empty string is there for IE, that treats + * relative paths as having no protocol, while other browsers have these explicitly + * inherit the protocol of the page they're in. + */ +var PROTOCOLS = ['http:', 'https:', 'mailto:', '']; var STRIP_TAGS = new RegExp(']*)?/?>', 'g'); From b5f5168edb4ec97a3a85ffd715fde5e0efe85703 Mon Sep 17 00:00:00 2001 From: alexcjohnson Date: Tue, 23 May 2017 15:00:22 -0400 Subject: [PATCH 2/2] moar "no protocol" values for even more IE dialects --- src/lib/svg_text_utils.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/lib/svg_text_utils.js b/src/lib/svg_text_utils.js index 974bea9a264..0f1d538b6a4 100644 --- a/src/lib/svg_text_utils.js +++ b/src/lib/svg_text_utils.js @@ -254,11 +254,11 @@ var TAG_CLOSE = { /* * Whitelist of protocols in user-supplied urls. Mostly we want to avoid javascript - * and related attack vectors. The empty string is there for IE, that treats - * relative paths as having no protocol, while other browsers have these explicitly - * inherit the protocol of the page they're in. + * and related attack vectors. The empty items are there for IE, that in various + * versions treats relative paths as having different flavors of no protocol, while + * other browsers have these explicitly inherit the protocol of the page they're in. */ -var PROTOCOLS = ['http:', 'https:', 'mailto:', '']; +var PROTOCOLS = ['http:', 'https:', 'mailto:', '', undefined, ':']; var STRIP_TAGS = new RegExp(']*)?/?>', 'g');