projects / KiwiIRC.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3634425)
Patching XSS vulnerability
authorPseudochu <pseudochu@gmail.com>
Fri, 13 Jun 2014 17:08:20 +0000 (20:08 +0300)
committerPseudochu <pseudochu@gmail.com>
Fri, 13 Jun 2014 17:08:20 +0000 (20:08 +0300)
The following message produces a clickable link that triggers JavaScript when clicked (pre-patch):
javascript://www.google.com/?%0Aalert(0);

Patch was designed to prevent this while maintaining support for arbitrary link protocols.

client/src/views/channel.js patch | blob | blame | history

diff --git a/client/src/views/channel.js b/client/src/views/channel.js
index 3819ddf29c921410c9caacf389ab5f75c634b80e..5c83320ed24ee4c84391ea6317913ae894fe4a57 100644 (file)
--- a/client/src/views/channel.js
+++ b/client/src/views/channel.js
@@ -88,6 +88,10 @@ _kiwi.view.Channel = _kiwi.view.Panel.extend({
             var nice = url,
                 extra_html = '';
 
+            if (url.match(/^javascript:/)) {
+                return url;
+            }
+
             // Add the http if no protoocol was found
             if (url.match(/^www\./)) {
                 url = 'http://' + url;