From 5043a049628bbc0c28e00e40e87744efc96a8472 Mon Sep 17 00:00:00 2001 From: Mathias Bynens Date: Wed, 20 Nov 2019 12:59:44 +0000 Subject: [Backport] Security bug 1026293 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/devtools/devtools-frontend/+/1925056: Harden XLink defense-in-depth This patch leverages the native `URL` API for URL parsing and validation for XLink components. It also ensures XLinks get rel=noopener. Bug: chromium:1026293 Change-Id: Iad274bbde5d2ad9f0d8b22f35f3e36cba2aa76f1 Reviewed-by: Jüri Valdmann --- .../blink/renderer/devtools/front_end/ui/XLink.js | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/chromium/third_party/blink/renderer/devtools/front_end/ui/XLink.js b/chromium/third_party/blink/renderer/devtools/front_end/ui/XLink.js index a29a72afdc3..548944b569a 100644 --- a/chromium/third_party/blink/renderer/devtools/front_end/ui/XLink.js +++ b/chromium/third_party/blink/renderer/devtools/front_end/ui/XLink.js @@ -31,7 +31,8 @@ UI.XLink = class extends UI.XElement { this.style.setProperty('display', 'inline'); UI.ARIAUtils.markAsLink(this); this.tabIndex = 0; - this.setAttribute('target', '_blank'); + this.target = '_blank'; + this.rel = 'noopener'; /** @type {?string} */ this._href = null; @@ -71,11 +72,20 @@ UI.XLink = class extends UI.XElement { } if (attr === 'href') { - let href = newValue; - if (newValue.trim().toLowerCase().startsWith('javascript:')) - href = null; - if (Common.ParsedURL.isRelativeURL(newValue)) + // For invalid or non-absolute URLs, `href` should remain `null`. + if (!newValue) { + newValue = ''; + } + let href = null; + let url = null; + try { + url = new URL(newValue); + href = url.toString(); + } catch (error) { + } + if (url && url.protocol === 'javascript:') { href = null; + } this._href = href; this.title = newValue; -- cgit v1.2.1