Module: Primer::SafeHrefHelper

Included in:
Component
Defined in:
app/lib/primer/safe_href_helper.rb

Overview

:nodoc:

Constant Summary collapse

DISALLOWED_HREF_SCHEMES =

URI schemes that can execute script in the browser and are never valid destinations for a Primer-rendered link.

%w[javascript vbscript].freeze

Class Method Summary collapse

Instance Method Summary collapse

Class Method Details

.unsafe_href?(href) ⇒ Boolean

Returns true when href starts with a disallowed URI scheme.

Mirrors browser URL parsing by stripping ASCII whitespace and control characters (including tab/CR/LF) before extracting the scheme. This prevents bypasses such as j\tavascript:..., JaVaScRiPt:..., or a leading null byte, all of which browsers happily execute.

Returns:

  • (Boolean)


22
23
24
25
26
27
28
29
30
# File 'app/lib/primer/safe_href_helper.rb', line 22

def self.unsafe_href?(href)
  return false if href.nil?

  normalized = href.to_s.gsub(/[\u0000-\u0020]/, "")
  scheme = normalized[/\A([a-z][a-z0-9+\-.]*):/i, 1]
  return false unless scheme

  DISALLOWED_HREF_SCHEMES.include?(scheme.downcase)
end

Instance Method Details

#unsafe_href?(href) ⇒ Boolean

Returns:

  • (Boolean)


32
33
34
# File 'app/lib/primer/safe_href_helper.rb', line 32

def unsafe_href?(href)
  SafeHrefHelper.unsafe_href?(href)
end