Skip to content

Sanitizer: block data:/vbscript: URLs (XSS hardening) #42549

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mdo merged 5 commits into from
Jun 28, 2026
+18 −4
Merged

Sanitizer: block data:/vbscript: URLs (XSS hardening) #42549

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
fda66d2
Sanitizer: block data:/vbscript: URLs in allowed attributes
mdo Jun 24, 2026
c4cf81e
Bump bundlewatch size thresholds
mdo Jun 25, 2026
2d0bddf
Merge remote-tracking branch 'origin/v6-dev' into mdo/sanitizer-block…
mdo Jun 27, 2026
ffb5db1
Sanitizer: drop redundant 0-9 from base64 data-URI char class
mdo Jun 27, 2026
65bc456
Build: bump bundle.js bundlewatch threshold for sanitizer additions
mdo Jun 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .bundlewatch.config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@
},
{
"path": "./dist/js/bootstrap.bundle.js",
"maxSize": "83.5 kB"
"maxSize": "83.75 kB"
},
{
"path": "./dist/js/bootstrap.bundle.min.js",
Expand Down
12 changes: 10 additions & 2 deletions js/src/util/sanitizer.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,14 +63,22 @@ const uriAttributes = new Set([
*
* Shout-out to Angular https://github.com/angular/angular/blob/15.2.8/packages/core/src/sanitization/url_sanitizer.ts#L38
*/
const SAFE_URL_PATTERN = /^(?!javascript:)(?:[a-z0-9+.-]+:|[^&:/?#]*(?:[/?#]|$))/i
const SAFE_URL_PATTERN = /^(?!(?:javascript|data|vbscript):)(?:[a-z0-9+.-]+:|[^&:/?#]*(?:[/?#]|$))/i

/**
* A pattern that matches safe data URLs. Only matches image, video and audio
* types — notably NOT `data:text/html`, which is an XSS vector.
*
* Shout-out to Angular https://github.com/angular/angular/blob/15.2.8/packages/core/src/sanitization/url_sanitizer.ts#L49
*/
const DATA_URL_PATTERN = /^data:(?:image\/(?:bmp|gif|jpeg|jpg|png|tiff|webp)|video\/(?:mpeg|mp4|ogg|webm)|audio\/(?:mp3|oga|ogg|opus));base64,[\d+/a-z=]+$/i

const allowedAttribute = (attribute, allowedAttributeList) => {
const attributeName = attribute.nodeName.toLowerCase()

if (allowedAttributeList.includes(attributeName)) {
if (uriAttributes.has(attributeName)) {
return Boolean(SAFE_URL_PATTERN.test(attribute.nodeValue))
return Boolean(SAFE_URL_PATTERN.test(attribute.nodeValue) || DATA_URL_PATTERN.test(attribute.nodeValue))
}

return true
Expand Down
8 changes: 7 additions & 1 deletion js/tests/unit/util/sanitizer.spec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,13 @@ describe('Sanitizer', () => {
'jav\u0000ascript:alert();'
]

for (const url of invalidUrls) {
const dangerousDataUrls = [
'data:text/html,hello',
'data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==',
'vbscript:msgbox(1)'
]

for (const url of [...invalidUrls, ...dangerousDataUrls]) {
const template = [
'<div>',
` <a href="${url}">Click me</a>`,
Expand Down