Hi @lfbrock, Thank you for considering my request.
I understand that you are using the decodeURIComponent()
in order to detect the URL with the risk of XSS.
It is not an essential support to be able to decode a variety of character set for this matter.
decodeURIComponent()
possible that doesn't guarantee that there is no risk of JavaScript execution.
For example, decodeURIComponent()
doesn't throw exception in the harmful URL of the following:
It is not appropriate to use for the decodeURIComponent () to avoid XSS.
In fact, XSS doesn't hold if the current implementation of the Mattermost be removed this decodeURIComponent (). marked.js
will not be reached harmful string to MattermostMarkdownRenderer#link
because it doesn't determine the string and link items, including such as the javascript://
and <script>
. So I submitted the PR.
If MattermostMarkdownRenderer
would like to harmful URL invalidated as an independent module, it can be realized by the code, such as:
if (/[^-A-Za-z0-9+&@#/%?=~_|!:,.;\(\)]/.test(href)) {
return '';
}
Repeatedly say that may not be considered to correspond to various character set in MattermostMarkdownRenderer#link
. Where it is only necessary sanitization by detecting just harmful URL.