diff options
author | Harrison Healey <harrisonmhealey@gmail.com> | 2017-01-04 09:29:19 -0500 |
---|---|---|
committer | Corey Hulen <corey@hulen.com> | 2017-01-04 09:29:19 -0500 |
commit | c0a5f9fbef710173b6b8933252cc97fe1109c09b (patch) | |
tree | 3c76b8027b5ae1b684ef26309641a616e0e770d8 | |
parent | f1679cb2a0435834ae5e2e3284e686830753d06a (diff) | |
download | chat-c0a5f9fbef710173b6b8933252cc97fe1109c09b.tar.gz chat-c0a5f9fbef710173b6b8933252cc97fe1109c09b.tar.bz2 chat-c0a5f9fbef710173b6b8933252cc97fe1109c09b.zip |
Added an extra layer of sanitization to error page links (#4953)
-rw-r--r-- | webapp/components/error_page.jsx | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/webapp/components/error_page.jsx b/webapp/components/error_page.jsx index d4d04bf12..7de488f06 100644 --- a/webapp/components/error_page.jsx +++ b/webapp/components/error_page.jsx @@ -13,9 +13,11 @@ export default class ErrorPage extends React.Component { componentDidMount() { $('body').attr('class', 'sticky error'); } + componentWillUnmount() { $('body').attr('class', ''); } + render() { let title = this.props.location.query.title; if (!title || title === '') { @@ -30,6 +32,9 @@ export default class ErrorPage extends React.Component { let link = this.props.location.query.link; if (!link || link === '') { link = '/'; + } else if (link.startsWith('javascript:') || link.startsWith('vbscript:') || link.startsWith('data:')) { // eslint-disable-line no-script-url + // Sanitize out any script links + link = '/'; } let linkMessage = this.props.location.query.linkmessage; |