Re: [PR] fix(safemarkdown): sanitize markdown link protocols [superset]

Mon, 01 Jun 2026 16:45:30 -0700 


rusackas commented on code in PR #40621:
URL: https://github.com/apache/superset/pull/40621#discussion_r3337773885


##########
superset-frontend/packages/superset-ui-core/src/components/SafeMarkdown/SafeMarkdown.tsx:
##########
@@ -25,6 +25,17 @@ import remarkGfm from 'remark-gfm';
 import { mergeWith } from 'lodash';
 import { FeatureFlag, isFeatureEnabled } from '../../utils';
 
+// Reject link protocols that can execute script; allow everything else
+// (including the custom schemes supported since #26211).
+const DANGEROUS_LINK_PROTOCOL = /^\s*(?:javascript|vbscript|data):/i;
+
+export function transformMarkdownLinkUri(uri: string): string {
+  if (typeof uri !== 'string') {
+    return '';
+  }
+  return DANGEROUS_LINK_PROTOCOL.test(uri) ? '' : uri;
+}

Review Comment:
   Good catch — applied. We now strip ASCII control characters (C0 range + DEL, 
`/[\u0000-\u001F\u007F]/g`) from the URI before the protocol regex test, so 
`java\nscript:` and similar variants are caught. Pushed in the latest commit.



##########
superset-frontend/packages/superset-ui-core/test/components/SafeMarkdown.test.tsx:
##########
@@ -52,6 +53,46 @@ describe('getOverrideHtmlSchema', () => {
   });
 });
 
+describe('transformMarkdownLinkUri', () => {
+  test('should drop javascript: protocol links', () => {
+    expect(transformMarkdownLinkUri('javascript:alert(1)')).toEqual('');
+  });
+
+  test('should drop links with leading whitespace and mixed case', () => {
+    expect(transformMarkdownLinkUri('  JavaScript:alert(1)')).toEqual('');
+  });
+
+  test('should drop vbscript: protocol links', () => {
+    expect(transformMarkdownLinkUri('vbscript:msgbox(1)')).toEqual('');
+  });

Review Comment:
   Added tests for the `\n` and `\t` embedded-control-char bypass variants in 
the latest commit. The normalization step in the implementation ensures both 
are caught.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to