mirror of
				https://github.com/microsoft/playwright.git
				synced 2025-06-26 21:40:17 +00:00 
			
		
		
		
	fix: sanitize URLs with vbscript: (#14325)
fix: sanitize URLs with vbscript: The vbscript: protocols can be used to run scripts in much the same way as the javascript: protocol. This PR adds in validation for those aforementioned protocols in snapshotterInjected.ts and snapshotRenderer.ts.
This commit is contained in:
		
							parent
							
								
									3a3aa023ad
								
							
						
					
					
						commit
						dbc2494e54
					
				| @ -218,7 +218,7 @@ export function frameSnapshotStreamer(snapshotStreamer: string) { | ||||
|     } | ||||
| 
 | ||||
|     private _sanitizeUrl(url: string): string { | ||||
|       if (url.startsWith('javascript:')) | ||||
|       if (url.startsWith('javascript:') || url.startsWith('vbscript:')) | ||||
|         return ''; | ||||
|       return url; | ||||
|     } | ||||
|  | ||||
| @ -297,7 +297,7 @@ export function rewriteURLForCustomProtocol(href: string): string { | ||||
|   try { | ||||
|     const url = new URL(href); | ||||
|     // Sanitize URL.
 | ||||
|     if (url.protocol === 'javascript:') | ||||
|     if (url.protocol === 'javascript:' || url.protocol === 'vbscript:') | ||||
|       return 'javascript:void(0)'; | ||||
| 
 | ||||
|     // Pass through if possible.
 | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user
	 Elijah
						Elijah