Fixed Link extension's commands not respecting XSS prevention via unallowed protocols (#5945)

bdbch · web-flow · commit 1c2fefe3d61a · 2024-12-19T12:16:03.000+01:00
* fixed link commands not respecting allowed protocols

* added changesets

* refactor(link): don't use throw for invalid uri handling
diff --git a/.changeset/empty-seals-join.md b/.changeset/empty-seals-join.md
@@ -0,0 +1,5 @@
+---
+"@tiptap/extension-link": patch
+---
+
+Added checks for allowed protocols in link commands & exported isValidUri helper for manual checks outside of the extension
diff --git a/demos/src/Marks/Link/React/index.jsx b/demos/src/Marks/Link/React/index.jsx
@@ -105,8 +105,12 @@ export default () => {
     }
 
     // update link
-    editor.chain().focus().extendMarkRange('link').setLink({ href: url })
-      .run()
+    try {
+      editor.chain().focus().extendMarkRange('link').setLink({ href: url })
+        .run()
+    } catch (e) {
+      alert(e.message)
+    }
   }, [editor])
 
   if (!editor) {
diff --git a/packages/extension-link/src/link.ts b/packages/extension-link/src/link.ts
@@ -160,7 +160,7 @@ declare module '@tiptap/core' {
 // eslint-disable-next-line no-control-regex
 const ATTR_WHITESPACE = /[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205F\u3000]/g
 
-function isAllowedUri(uri: string | undefined, protocols?: LinkOptions['protocols']) {
+export function isAllowedUri(uri: string | undefined, protocols?: LinkOptions['protocols']) {
   const allowedProtocols: string[] = [
     'http',
     'https',
@@ -322,11 +322,31 @@ export const Link = Mark.create<LinkOptions>({
     return {
       setLink:
         attributes => ({ chain }) => {
+          const { href } = attributes
+
+          if (!this.options.isAllowedUri(href, {
+            defaultValidate: url => !!isAllowedUri(url, this.options.protocols),
+            protocols: this.options.protocols,
+            defaultProtocol: this.options.defaultProtocol,
+          })) {
+            return false
+          }
+
           return chain().setMark(this.name, attributes).setMeta('preventAutolink', true).run()
         },
 
       toggleLink:
         attributes => ({ chain }) => {
+          const { href } = attributes
+
+          if (!this.options.isAllowedUri(href, {
+            defaultValidate: url => !!isAllowedUri(url, this.options.protocols),
+            protocols: this.options.protocols,
+            defaultProtocol: this.options.defaultProtocol,
+          })) {
+            return false
+          }
+
           return chain()
             .toggleMark(this.name, attributes, { extendEmptyMarkRange: true })
             .setMeta('preventAutolink', true)

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"@tiptap/extension-link": patch
 +---
++
 +Added checks for allowed protocols in link commands & exported isValidUri helper for manual checks outside of the extension