Filip/playwright
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

fix: sanitize URLs with vbscript: (#14325)

Browse source 
fix: sanitize URLs with vbscript:

The vbscript: protocols can be used to run scripts in much the same way as the javascript: protocol. This PR adds in validation for those aforementioned protocols in snapshotterInjected.ts and snapshotRenderer.ts.
This commit is contained in:
Elijah 2022-06-02 12:25:59 -07:00 committed by GitHub
parent 3a3aa023ad
commit dbc2494e54
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
packages/playwright-core/src/server/trace/recorder/snapshotterInjected.ts
View file

@ -218,7 +218,7 @@ export function frameSnapshotStreamer(snapshotStreamer: string) {
} }
private _sanitizeUrl(url: string): string { private _sanitizeUrl(url: string): string {
if (url.startsWith('javascript:')) if (url.startsWith('javascript:') || url.startsWith('vbscript:'))
return ''; return '';
return url; return url;
} }

2
packages/trace-viewer/src/snapshotRenderer.ts
View file

@ -297,7 +297,7 @@ export function rewriteURLForCustomProtocol(href: string): string {
try { try {
const url = new URL(href); const url = new URL(href);
// Sanitize URL. // Sanitize URL.
if (url.protocol === 'javascript:') if (url.protocol === 'javascript:' || url.protocol === 'vbscript:')
return 'javascript:void(0)'; return 'javascript:void(0)';
// Pass through if possible. // Pass through if possible.