Allow unknown protocols in project's description links #3758
No reviewers
Labels
No Label
area/internal-code
changes requested
confirmed
dependencies
duplicate
good first issue
help wanted
hosting
invalid
kind/bug
kind/feature
question
wontfix
No Milestone
No project
No Assignees
3 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: vikunja/frontend#3758
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "jackymancs4/vikunja-frontend:feature/allow-unknown-protocols"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Hello,
sometimes I include inside a project's description a link to the related Joplin note, in the format:
Unfortunately, it get rendered as an empty link.
I think this PR is an acceptable security compromise since the project description can be modified only by an authenticated user,
which should have full responsibility of what he put in the description.
Docs
https://github.com/cure53/DOMPurify#control-permitted-attribute-values
https://joplinapp.org/external_links/
Hi jackymancs4!
Thank you for creating a PR!
I've deployed the changes of this PR on a preview environment under this URL: https://3758-feature-allow-unknown-protocols--vikunja-frontend-preview.netlify.app
You can use this url to view the changes live and test them out.
You will need to manually connect this to an api running somehwere. The easiest to use is https://try.vikunja.io/.
Have a nice day!
Thanks for the PR!
Can you extend this to task descriptions and comments?
We should filter out schemes like
javascript:
,vbscript:
anddata:
as they can directly execute code.Even if the people editing text are authenticated, they are not always users (link shares can send comments or edit a task description) and everyone can see the description. A malicious attacker could create a project/task on an instance their users trust, then send them the link, and they would click on it.
Gitea got bitten by this in one of their more recent releases: https://blog.gitea.com/release-of-1.20.1/#%EF%B8%8F-any-url-scheme-may-be-used-for-links-24805
Will do.
Most interesting.
Do you happen do be a RegEx wizard?
I'm having difficulties adapting the default regex
/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp|xxx):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i
to be used in ALLOWED_URI_REGEXP in a negative (exclusive) wayNot sure if that's the way to go about this. AFAIK you can do pretty much everything with regex but I think Dompurify should have an option to prevent this. Do you want to open an issue over at their repo?
I'm not sure what the issue on their side would be. Are you suggesting a DENIED_URI_REGEXP config that matches unwanted URI (like
javascript:
)?Yes pretty much. Either they have that option and it's not obvious or they don't have it and in that case probably a good reason for it.
Since they straight up allow to disable the check with ALLOW_UNKNOWN_PROTOCOLS, I guess there isn't a real good reason. Just that nobody asked for it before. I'll open the issue.
In the mean time, would you settle for it if get the ALLOWED_URI_REGEXP working as described?
What if I extended the default one with to include
joplin
in the whitelist, just for my use case?E.g
/^(?:(?:(?:f|ht)tps?|joplin|mailto|tel|callto|sms|cid|xmpp|xxx):|[^a-z]|[a-z+.-]+(?:[^a-z+.-:]|$))/i
yeah that could work.
Others have been requested already (obsidian for example), better to fix this with one general solution.
Do you want to rework this PR with the new editor we've switched to?
Closing due to inactivity. Please ping if you want to pick it up again.