From e4e1f2d94a3b513bbcc970e4d074acade70c99ca Mon Sep 17 00:00:00 2001 From: kamre Date: Tue, 24 Aug 2021 20:11:48 +0700 Subject: [PATCH] Always stop event propagation for click on the link generated from markdown. (#1039) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jesús Espino Co-authored-by: Hossein Co-authored-by: Harshil Sharma --- webapp/src/utils.test.ts | 2 +- webapp/src/utils.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/webapp/src/utils.test.ts b/webapp/src/utils.test.ts index ce316df9e..0e6760747 100644 --- a/webapp/src/utils.test.ts +++ b/webapp/src/utils.test.ts @@ -25,7 +25,7 @@ describe('utils', () => { describe('htmlFromMarkdown', () => { test('should not allow XSS on links href on the webapp', () => { - expect(Utils.htmlFromMarkdown('[]("xss-attack="true"other="whatever)')).toBe('

') + expect(Utils.htmlFromMarkdown('[]("xss-attack="true"other="whatever)')).toBe('

') }) test('should not allow XSS on links href on the desktop app', () => { diff --git a/webapp/src/utils.ts b/webapp/src/utils.ts index a5764e113..5b57db1bc 100644 --- a/webapp/src/utils.ts +++ b/webapp/src/utils.ts @@ -151,7 +151,7 @@ class Utils { 'rel="noreferrer" ' + `href="${encodeURI(href || '')}" ` + `title="${title ? encodeURI(title) : ''}" ` + - ((window as any).openInNewBrowser ? 'onclick="event.stopPropagation(); openInNewBrowser && openInNewBrowser(event.target.href);"' : '') + + `onclick="event.stopPropagation();${((window as any).openInNewBrowser ? ' openInNewBrowser && openInNewBrowser(event.target.href);' : '')}"` + '>' + contents + '' } const html = marked(text.replace(/