github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 09:48:58 -04:00
Code Issues Projects Releases Packages Wiki Activity

Chore secure rel in markdown (#31314) (#31325)

Browse source 
* Making sure we whitelist *.elastic.co in our markdown parser
This commit is contained in:
Joel Griffith 2019-02-16 09:02:52 -08:00 committed by GitHub
parent bc5e1a81e5
commit f3b7de3643
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 27 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

9
src/ui/public/markdown/markdown.js
View file

@ -22,6 +22,7 @@ import React, { PureComponent } from 'react';
import PropTypes from 'prop-types';
import MarkdownIt from 'markdown-it';
import { memoize } from 'lodash';
import { getSecureRelForTarget } from '@elastic/eui';
/**
* Return a memoized markdown rendering function that use the specified
@ -53,9 +54,13 @@ export const markdownFactory = memoize((whiteListedRules = [], openLinksInNewTab
return self.renderToken(tokens, idx, options);
};
markdownIt.renderer.rules.link_open = function (tokens, idx, options, env, self) {
tokens[idx].attrPush(['target', '_blank']);
const href = tokens[idx].attrGet('href');
const target = '_blank';
const rel = getSecureRelForTarget({ href, target });
// https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/
tokens[idx].attrPush(['rel', 'noopener noreferrer']);
tokens[idx].attrPush(['target', target]);
tokens[idx].attrPush(['rel', rel]);
return originalLinkRender(tokens, idx, options, env, self);
};
}

20
src/ui/public/markdown/markdown.test.js
View file

@ -45,6 +45,26 @@ test('should render links with parentheses correctly', () => {
expect(component.render().find('a').prop('href')).toBe('https://example.com/foo/bar?group=(()filters:!t)');
});
test('should add `noreferrer` and `nooopener` to unknown links in new tabs', () => {
const component = shallow(
<Markdown
openLinksInNewTab={true}
markdown="[link](https://example.com/foo/bar?group=(()filters:!t))"
/>
);
expect(component.render().find('a').prop('rel')).toBe('noopener noreferrer');
});
test('should only add `nooopener` to known links in new tabs', () => {
const component = shallow(
<Markdown
openLinksInNewTab={true}
markdown="[link](https://www.elastic.co/cool/path"
/>
);
expect(component.render().find('a').prop('rel')).toBe('noopener');
});
describe('props', () => {
const markdown = 'I am *some* [content](https://en.wikipedia.org/wiki/Content) with `markdown`';