search

csaf-poc / csaf_webview

Web app (module) to display a CSAF 2 document and to browse CSAF 2 ROLIE feeds. ⚠️ The web demo is often not allowed to access servers:
https://csaf-poc.github.io/csaf_webview/
1 stars 3 forks source link

Avoid rendering JavaScript URLs as clickable links #47

Closed bernhard-herzog closed 2 months ago

bernhard-herzog commented 2 months ago

To avoid running JavaScript taken from JSON files downloaded from the internet in the client we now try to render URLs only as clickable links if the protocol of the URL is safe, which more concretely means HTTP or HTTPS. Other URLs are rendered as plain text. This commit only covers links that are obviously treated as links to external resources.

To avoid duplication, this introduces a new component, SafeLink, that takes the URL and optionally id and target attributes and renders a suitable a-element if the protocol is safe and text otherwise.

Fixes #45

github-actions[bot] commented 2 months ago

Coverage Report

Status Category Percentage Covered / Total
🟢 Lines 87.82% (🎯 60%) 202 / 230
🟢 Statements 87.98% (🎯 60%) 227 / 258
🟢 Functions 94.23% (🎯 60%) 49 / 52
🟢 Branches 84.93% (🎯 60%) 124 / 146
File CoverageNo changed files found.
Generated in workflow #22
bernhardreiter commented 2 months ago

@bernhard-herzog as we are going to Apache-2.0, see #46 can you change the License to Apache-2.0 for the new files already.

ThomasJunk commented 2 months ago

@bernhard-herzog if you change the license we could merge