Add URL sanitizer to avoid javascript: XSS attack vector

2017-10-30 17:43:23 -07:00
parent 4eae9b681b
commit afa615e01d
6 changed files with 22 additions and 12 deletions
--- a/src/core/components/operations.jsx
+++ b/src/core/components/operations.jsx
@@ -1,7 +1,7 @@
 import React from "react"
 import PropTypes from "prop-types"
 import { helpers } from "swagger-client"
-import { createDeepLinkPath } from "core/utils"
+import { createDeepLinkPath, sanitizeUrl } from "core/utils"
 const { opId } = helpers

 export default class Operations extends React.Component {
@@ -101,7 +101,7 @@ export default class Operations extends React.Component {
                          { tagExternalDocsUrl ? ": " : null }
                          { tagExternalDocsUrl ?
                            <a
-                              href={tagExternalDocsUrl}
+                              href={sanitizeUrl(tagExternalDocsUrl)}
                              onClick={(e) => e.stopPropagation()}
                              target={"_blank"}
                            >{tagExternalDocsUrl}</a> : null