Commit graph

1 commit

Author SHA1 Message Date
Evan Morikawa
a7b652a31d fix(iframe): catch relative and malformed uris
Summary:
Fixes T3252

When links were clicked with malformed, relative, or malicious href links
we'd perform default behavior instead of catching them.

If you have href="www.foo.bar" the browser by default thinks it's a
relative link. In our case it would prepend the full default base URI
which is file://path/to/edgehill. This would at best fail to do anything
and at worst execute an arbitrary file.

We now blacklist `file:` and check for the existence of a valid RFC 3986
schema on the URI.

Test Plan: manual

Reviewers: bengotow

Reviewed By: bengotow

Maniphest Tasks: T3252

Differential Revision: https://phab.nylas.com/D1888
2015-08-19 10:20:41 -07:00