Merge pull request #28 from gtsp233/fix-javascript-url

virtualvivek · web-flow · commit 167f9bbb3623 · 2024-01-02T16:45:07.000+05:30
feat: sanitize javascript url
diff --git a/src/lib/src/components/NavBar/NavBarLink/index.js b/src/lib/src/components/NavBar/NavBarLink/index.js
@@ -1,5 +1,7 @@
 import React from "react";
 
+const isJavaScriptProtocol = /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i
+
 const NavBarLink = (props) => {
 
   const {
@@ -12,9 +14,15 @@ const NavBarLink = (props) => {
     onClick,
     showBadge,
     imgBorderRadius,
-    badgeBackgroundColor
+    badgeBackgroundColor,
+    allowJavaScriptUrls = true
   } = props;
 
+  if (isJavaScriptProtocol.test(href) && !allowJavaScriptUrls) {
+    console.warn(`NavBarLink has blocked a javascript: URL as a security precaution`);
+    return null;
+  }
+
   const renderBadge = () => {
     if(showBadge > 0 || showBadge !== "") {
       return <div className="app-badge"
