1
0
mirror of https://github.com/mattermost/focalboard.git synced 2024-12-24 13:43:12 +02:00

Opened markdown links in new tab (#792)

* Opened markdown links in new tab

* Used openInNewBrowser only when available

Co-authored-by: Hossein <hahmadia@users.noreply.github.com>
This commit is contained in:
Harshil Sharma 2021-07-30 13:32:49 +05:30 committed by GitHub
parent 926c4628c6
commit 186ba524d7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 9 additions and 3 deletions

View File

@ -25,7 +25,7 @@ describe('utils', () => {
describe('htmlFromMarkdown', () => {
test('should not allow XSS on links href on the webapp', () => {
expect(Utils.htmlFromMarkdown('[]("xss-attack="true"other="whatever)')).toBe('<p><a href="%22xss-attack=%22true%22other=%22whatever"></a></p>')
expect(Utils.htmlFromMarkdown('[]("xss-attack="true"other="whatever)')).toBe('<p><a target="_blank" rel="noreferrer" href="%22xss-attack=%22true%22other=%22whatever" title="" ></a></p>')
})
test('should not allow XSS on links href on the desktop app', () => {

View File

@ -112,8 +112,14 @@ class Utils {
static htmlFromMarkdown(text: string): string {
// HACKHACK: Somehow, marked doesn't encode angle brackets
const renderer = new marked.Renderer()
if ((window as any).openInNewBrowser) {
renderer.link = (href, title, contents) => `<a target="_blank" rel="noreferrer" href="${encodeURI(href || '')}" title="${title ? encodeURI(title) : ''}" onclick="event.stopPropagation(); openInNewBrowser && openInNewBrowser(event.target.href);">${contents}</a>`
renderer.link = (href, title, contents) => {
return '<a ' +
'target="_blank" ' +
'rel="noreferrer" ' +
`href="${encodeURI(href || '')}" ` +
`title="${title ? encodeURI(title) : ''}" ` +
((window as any).openInNewBrowser ? 'onclick="event.stopPropagation(); openInNewBrowser && openInNewBrowser(event.target.href);"' : '') +
'>' + contents + '</a>'
}
const html = marked(text.replace(/</g, '&lt;'), {renderer, breaks: true})
return html.trim()