1
0
mirror of https://github.com/oceanprotocol/market.git synced 2024-12-02 05:57:29 +01:00

sanitize urls as code scanning suggestions (#1412)

* sanitize url on DebugEditMetadata as code scanning suggestion

* sanitize urls
This commit is contained in:
EnzoVezzaro 2022-05-10 05:11:53 -04:00 committed by GitHub
parent 89f2521025
commit 1fcc3b1356
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 18 additions and 6 deletions

10
src/@utils/url.ts Normal file
View File

@ -0,0 +1,10 @@
export function sanitizeUrl(url: string) {
const u = decodeURI(url).trim().toLowerCase()
if (
u.startsWith('javascript:') ||
u.startsWith('data:') ||
u.startsWith('vbscript:')
)
return 'about:blank'
return url
}

View File

@ -3,6 +3,7 @@ import React, { ReactElement } from 'react'
import DebugOutput from '@shared/DebugOutput'
import { MetadataEditForm } from './_types'
import { mapTimeoutStringToSeconds } from '@utils/ddo'
import { sanitizeUrl } from '@utils/url'
export default function DebugEditMetadata({
values,
@ -12,7 +13,8 @@ export default function DebugEditMetadata({
asset: Asset
}): ReactElement {
const linksTransformed = values.links?.length &&
values.links[0].valid && [values.links[0].url.replace('javascript:', '')]
values.links[0].valid && [sanitizeUrl(values.links[0].url)]
const newMetadata: Metadata = {
...asset?.metadata,
name: values.name,

View File

@ -23,6 +23,7 @@ import { getOceanConfig } from '@utils/ocean'
import EditFeedback from './EditFeedback'
import { useAsset } from '@context/Asset'
import { setNftMetadata } from '@utils/nft'
import { sanitizeUrl } from '@utils/url'
export default function Edit({
asset
@ -64,9 +65,7 @@ export default function Edit({
) {
try {
const linksTransformed = values.links?.length &&
values.links[0].valid && [
values.links[0].url.replace('javascript:', '')
]
values.links[0].valid && [sanitizeUrl(values.links[0].url)]
const updatedMetadata: Metadata = {
...asset.metadata,
name: values.name,

View File

@ -31,6 +31,7 @@ import {
publisherMarketPoolSwapFee,
publisherMarketFixedSwapFee
} from '../../../app.config'
import { sanitizeUrl } from '@utils/url'
export function getFieldContent(
fieldName: string,
@ -95,9 +96,9 @@ export async function transformPublishFormToDdo(
// Transform from files[0].url to string[] assuming only 1 file
const filesTransformed = files?.length &&
files[0].valid && [files[0].url.replace('javascript:', '')]
files[0].valid && [sanitizeUrl(files[0].url)]
const linksTransformed = links?.length &&
links[0].valid && [links[0].url.replace('javascript:', '')]
links[0].valid && [sanitizeUrl(links[0].url)]
const newMetadata: Metadata = {
created: currentTime,