mirror of
https://github.com/Foundry376/Mailspring.git
synced 2024-09-24 17:26:06 +08:00
06a1eb42b2
Summary: Fixes T3252 When links were clicked with malformed, relative, or malicious href links we'd perform default behavior instead of catching them. If you have href="www.foo.bar" the browser by default thinks it's a relative link. In our case it would prepend the full default base URI which is file://path/to/edgehill. This would at best fail to do anything and at worst execute an arbitrary file. We now blacklist `file:` and check for the existence of a valid RFC 3986 schema on the URI. Test Plan: manual Reviewers: bengotow Reviewed By: bengotow Maniphest Tasks: T3252 Differential Revision: https://phab.nylas.com/D1888 |
||
---|---|---|
.. | ||
evented-iframe-spec.cjsx | ||
form-builder-spec.cjsx | ||
multiselect-list-interaction-handler-spec.coffee | ||
multiselect-split-interaction-handler-spec.coffee | ||
tokenizing-text-field-spec.cjsx |