refactor: ensure both href and to attributes are properly validated

near · Dec 25, 2023 · 65d1ed2 · 65d1ed2
1 parent 6e8ecf4
commit 65d1ed2
Showing 1 changed file with 16 additions and 2 deletions.
diff --git a/src/components/vm/VmInitializer.tsx b/src/components/vm/VmInitializer.tsx
@@ -1,4 +1,4 @@
-import { sanitize } from 'dompurify';
+import { isValidAttribute } from 'dompurify';
 import { setupKeypom } from '@keypom/selector';
 import type { WalletSelector } from '@near-wallet-selector/core';
 import { setupWalletSelector } from '@near-wallet-selector/core';
@@ -38,6 +38,7 @@ import { useVmStore } from '@/stores/vm';
 import { recordWalletConnect, reset as resetAnalytics } from '@/utils/analytics';
 import { networkId, signInContractId } from '@/utils/config';
 import { KEYPOM_OPTIONS } from '@/utils/keypom-options';
+import { clone } from 'lodash';
 
 export default function VmInitializer() {
   const [signedIn, setSignedIn] = useState(false);
@@ -102,7 +103,20 @@ export default function VmInitializer() {
           ],
         }),
         customElements: {
-          Link: ({ href, to, ...rest }: any) => <Link href={sanitize(href ?? to)} {...rest} />,
+          Link: (props: { to: string | object | undefined; href: string | object }) => {
+            const cleanProps = clone(props);
+            if (!cleanProps.to && cleanProps.href) {
+              cleanProps.to = cleanProps.href;
+              cleanProps.href = {};
+            }
+            if (cleanProps.to) {
+              cleanProps.to =
+                typeof cleanProps.to === 'string' && isValidAttribute('a', 'href', cleanProps.to)
+                  ? cleanProps.to
+                  : 'about:blank';
+            }
+            return <Link {...cleanProps} />;
+          },
         },
         features: { enableComponentSrcDataKey: true },
       });