search

formio / angular

JSON powered forms for Angular
https://formio.github.io/angular-demo
MIT License
638 stars 469 forks source link

[Question] formio sandbox - allowing MS Teams URI #821

Closed Rolf-MP closed 8 months ago

Rolf-MP commented 3 years ago

Hi,

I am trying to allow href to use the msteams protocol in the formio sandbox through the options json. This does not fly however.

{
  "display": "form",
  "components": [
    {
      "label": "HTML",
      "tag": "div",
      "attrs": [
        {
          "attr": "",
          "value": ""
        }
      ],
      "content": "<a href=\"msteams:/l/chat/0/0?users=first.last@example.com\">MS Teams link</a>",
      "refreshOnChange": false,
      "key": "html3",
      "type": "htmlelement",
      "input": false,
      "tableView": false
    }
  ]
}

When I add the below as a string in the options json

{
  "sanitizeConfig": {
    "allowedUriRegex" : "/^(?:(?:(?:f|ht)tps?|mailto|msteams|tel|callto|cid|xmpp|xxx):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i"
  }
}

It is not respected (testing the regexp to the msteams URI shows the regexp is fine). I presume because in the sanitize function the regex string is not converted to a regex object in the sanitize function in utils.js.

Suggestion: detect if the "allowedUriRegex" is a regex object and if not convert (an array) of strings to a regex object per jsref_regexp_constructor

From utils.js:

export function sanitize(string, options) {
  // Dompurify configuration
  const sanitizeOptions = {
    ADD_ATTR: ['ref', 'target'],
    USE_PROFILES: { html: true }
  };
  // Add attrs
  if (options.sanitizeConfig && Array.isArray(options.sanitizeConfig.addAttr) && options.sanitizeConfig.addAttr.length > 0) {
    options.sanitizeConfig.addAttr.forEach((attr) => {
      sanitizeOptions.ADD_ATTR.push(attr);
    });
  }
  // Add tags
  if (options.sanitizeConfig && Array.isArray(options.sanitizeConfig.addTags) && options.sanitizeConfig.addTags.length > 0) {
    sanitizeOptions.ADD_TAGS = options.sanitizeConfig.addTags;
  }
  // Allow tags
  if (options.sanitizeConfig && Array.isArray(options.sanitizeConfig.allowedTags) && options.sanitizeConfig.allowedTags.length > 0) {
    sanitizeOptions.ALLOWED_TAGS = options.sanitizeConfig.allowedTags;
  }
  // Allow attributes
  if (options.sanitizeConfig && Array.isArray(options.sanitizeConfig.allowedAttrs) && options.sanitizeConfig.allowedAttrs.length > 0) {
    sanitizeOptions.ALLOWED_ATTR = options.sanitizeConfig.allowedAttrs;
  }
  // Allowd URI Regex
  if (options.sanitizeConfig && options.sanitizeConfig.allowedUriRegex) {
    sanitizeOptions.ALLOWED_URI_REGEXP = options.sanitizeConfig.allowedUriRegex;
  }
  return dompurify.sanitize(string, sanitizeOptions);
}

Best! Rolf

lane-formio commented 8 months ago

We're currently addressing a backlog of GitHub issues, and as part of this effort, some inactive issues may be marked as closed. This isn't a dismissal, but a step toward more efficient tracking.

If you feel the issue is still relevant, please re-open and we'll ensure it gets the attention it deserves. Your understanding is appreciated as we work to enhance our open-source responsiveness.