Module: Primer::SafeHrefHelper
- Included in:
- Component
- Defined in:
- app/lib/primer/safe_href_helper.rb
Overview
:nodoc:
Constant Summary collapse
- DISALLOWED_HREF_SCHEMES =
URI schemes that can execute script in the browser and are never valid destinations for a Primer-rendered link.
%w[javascript vbscript].freeze
Class Method Summary collapse
-
.unsafe_href?(href) ⇒ Boolean
Returns true when
hrefstarts with a disallowed URI scheme.
Instance Method Summary collapse
Class Method Details
.unsafe_href?(href) ⇒ Boolean
Returns true when href starts with a disallowed URI scheme.
Mirrors browser URL parsing by stripping ASCII whitespace and control
characters (including tab/CR/LF) before extracting the scheme. This
prevents bypasses such as j\tavascript:..., JaVaScRiPt:..., or a
leading null byte, all of which browsers happily execute.
22 23 24 25 26 27 28 29 30 |
# File 'app/lib/primer/safe_href_helper.rb', line 22 def self.unsafe_href?(href) return false if href.nil? normalized = href.to_s.gsub(/[\u0000-\u0020]/, "") scheme = normalized[/\A([a-z][a-z0-9+\-.]*):/i, 1] return false unless scheme DISALLOWED_HREF_SCHEMES.include?(scheme.downcase) end |
Instance Method Details
#unsafe_href?(href) ⇒ Boolean
32 33 34 |
# File 'app/lib/primer/safe_href_helper.rb', line 32 def unsafe_href?(href) SafeHrefHelper.unsafe_href?(href) end |