microsoft/playwright
1
1
Fork 0
mirror of https://github.com/microsoft/playwright.git synced 2024-12-14 05:37:20 +03:00
Code Issues Projects Releases Wiki Activity

fix: sanitize URLs with vbscript: (#14325)

Browse Source 
fix: sanitize URLs with vbscript:

The vbscript: protocols can be used to run scripts in much the same way as the javascript: protocol. This PR adds in validation for those aforementioned protocols in snapshotterInjected.ts and snapshotRenderer.ts.
This commit is contained in:
Elijah 2022-06-02 12:25:59 -07:00 committed by GitHub
parent 3a3aa023ad
commit dbc2494e54
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
packages/playwright-core/src/server/trace/recorder/snapshotterInjected.ts
View File

@ -218,7 +218,7 @@ export function frameSnapshotStreamer(snapshotStreamer: string) {
}
private _sanitizeUrl(url: string): string {
if (url.startsWith('javascript:'))
if (url.startsWith('javascript:') || url.startsWith('vbscript:'))
return '';
return url;
}

2
packages/trace-viewer/src/snapshotRenderer.ts
View File

@ -297,7 +297,7 @@ export function rewriteURLForCustomProtocol(href: string): string {
try {
const url = new URL(href);
// Sanitize URL.
if (url.protocol === 'javascript:')
if (url.protocol === 'javascript:' || url.protocol === 'vbscript:')
return 'javascript:void(0)';
// Pass through if possible.