forked from microsoft/roosterjs
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcheckXss.ts
More file actions
15 lines (14 loc) · 862 Bytes
/
checkXss.ts
File metadata and controls
15 lines (14 loc) · 862 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import { stripInvisibleUnicode } from 'roosterjs-content-model-dom';
/**
* @internal Check if there is XSS attack in the link
* @param link The link to be checked
* @returns The safe link with invisible Unicode characters stripped, or empty string if there is XSS attack
* @remarks This function strips invisible Unicode characters (zero-width chars, Unicode Tags, etc.)
* and checks for patterns like s\nc\nr\ni\np\nt: to prevent XSS attacks. This may block some valid links,
* but it is necessary for security reasons. We treat the word "script" as safe if there are "/" before it.
*/
export function checkXss(link: string): string {
// Defense-in-depth: strip invisible Unicode even if already handled elsewhere
const sanitized = stripInvisibleUnicode(link);
return sanitized.match(/^[^\/]*s\n*c\n*r\n*i\n*p\n*t\n*:/i) ? '' : sanitized;
}