From 65d1ed2cb04142a40584c7e69e8c6c2de8338420 Mon Sep 17 00:00:00 2001 From: Charles Garrett Date: Mon, 25 Dec 2023 14:25:16 -0800 Subject: [PATCH] refactor: ensure both href and to attributes are properly validated --- src/components/vm/VmInitializer.tsx | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/src/components/vm/VmInitializer.tsx b/src/components/vm/VmInitializer.tsx index 10c4a27782..54b23849c8 100644 --- a/src/components/vm/VmInitializer.tsx +++ b/src/components/vm/VmInitializer.tsx @@ -1,4 +1,4 @@ -import { sanitize } from 'dompurify'; +import { isValidAttribute } from 'dompurify'; import { setupKeypom } from '@keypom/selector'; import type { WalletSelector } from '@near-wallet-selector/core'; import { setupWalletSelector } from '@near-wallet-selector/core'; @@ -38,6 +38,7 @@ import { useVmStore } from '@/stores/vm'; import { recordWalletConnect, reset as resetAnalytics } from '@/utils/analytics'; import { networkId, signInContractId } from '@/utils/config'; import { KEYPOM_OPTIONS } from '@/utils/keypom-options'; +import { clone } from 'lodash'; export default function VmInitializer() { const [signedIn, setSignedIn] = useState(false); @@ -102,7 +103,20 @@ export default function VmInitializer() { ], }), customElements: { - Link: ({ href, to, ...rest }: any) => , + Link: (props: { to: string | object | undefined; href: string | object }) => { + const cleanProps = clone(props); + if (!cleanProps.to && cleanProps.href) { + cleanProps.to = cleanProps.href; + cleanProps.href = {}; + } + if (cleanProps.to) { + cleanProps.to = + typeof cleanProps.to === 'string' && isValidAttribute('a', 'href', cleanProps.to) + ? cleanProps.to + : 'about:blank'; + } + return ; + }, }, features: { enableComponentSrcDataKey: true }, });