Remove unwanted references and be specific about types that are secure and supported. The updated code should still disallow any HREFs that are JavaScript as well ignore data: type URLs and anything else that is not explicitly supported.
Additional context
Code was reviewed in a security training session and it was pointed out that there were subtle flaws regarding allowing JavaScript to be recognized as a type and then having to return an empty string. The suggestion was to simply not even list options are not allowed, but to only allow options that are considered safe.
It was pointed out that we were not accounting for the hrefdata: type.
Exit criteria
This issue can be closed once the updates made improve on the previous security model, maintain the exclusion of JavaScript protocol and will also account the long list of other protocols that are unsupported.
General Support Request
Refactor the code to be more security robust.
https://github.com/AlaskaAirlines/auro-hyperlink/blob/dff0c54009e530d081a482316208f299b27ce8fb/src/component-base.mjs#L90-L123
Possible Solution
Remove unwanted references and be specific about types that are secure and supported. The updated code should still disallow any HREFs that are JavaScript as well ignore
data:type URLs and anything else that is not explicitly supported.Additional context
Code was reviewed in a security training session and it was pointed out that there were subtle flaws regarding allowing JavaScript to be recognized as a type and then having to return an empty string. The suggestion was to simply not even list options are not allowed, but to only allow options that are considered safe.
It was pointed out that we were not accounting for the
hrefdata:type.Exit criteria
This issue can be closed once the updates made improve on the previous security model, maintain the exclusion of JavaScript protocol and will also account the long list of other protocols that are unsupported.