Re: [PR] fix(SafeMarkdown): block script-executing link protocols regardless of EscapeMarkdownHtml [superset]

Wed, 03 Jun 2026 17:20:46 -0700 


github-advanced-security[bot] commented on code in PR #40622:
URL: https://github.com/apache/superset/pull/40622#discussion_r3352678039


##########
superset-frontend/packages/superset-ui-core/src/components/SafeMarkdown/SafeMarkdown.tsx:
##########
@@ -31,6 +31,51 @@
   htmlSchemaOverrides?: typeof defaultSchema;
 }
 
+// Link protocols that can execute script when used as an href.
+const DANGEROUS_LINK_PROTOCOLS = ['javascript', 'vbscript', 'data'];
+
+/**
+ * Sanitize link hrefs without using react-markdown's default protocol
+ * allowlist, which would strip the custom link schemes that Superset markdown
+ * is expected to support (see #26211). Instead of allowlisting known-safe
+ * protocols, this blocks the protocols that enable script execution and leaves
+ * everything else (http(s), mailto, relative URLs, anchors and custom schemes)
+ * untouched. Applied regardless of the EscapeMarkdownHtml feature flag.
+ */
+export function transformLinkUri(uri: string): string {
+  // Per the WHATWG URL parser, browsers strip leading and trailing C0 control
+  // characters (\x00-\x1f) and space before resolving the scheme, so e.g.
+  // "\x01javascript:alert(1)" executes on click. Strip them here too,
+  // otherwise the blocklist check below could be bypassed with a leading
+  // control character. (This also subsumes the previous .trim().)
+  // eslint-disable-next-line no-control-regex
+  const url = (uri || '').replace(/^[\u0000-\u0020]+|[\u0000-\u0020]+$/g, '');

Review Comment:
   ## CodeQL / Polynomial regular expression used on uncontrolled data
   
   This [regular expression](1) that depends on [library input](2) may run slow 
on strings with many repetitions of '\u0000'.
   
   [Show more 
details](https://github.com/apache/superset/security/code-scanning/2526)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to