Skip to content

Commit

Permalink
[5.6] Add whitelist for urls (elastic#14613) (elastic#14621)
Browse files Browse the repository at this point in the history
* Add whitelist for urls (elastic#14613)

* Add url whitelist

* Use .some

* Add/fix tests

* Add browser tests

* Add fix
  • Loading branch information
chrisronline authored Oct 26, 2017
1 parent 234e360 commit f5274c1
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 5 deletions.
26 changes: 22 additions & 4 deletions src/ui/public/stringify/__tests__/_url.js
Original file line number Diff line number Diff line change
Expand Up @@ -44,11 +44,11 @@ describe('Url Format', function () {

describe('url template', function () {
it('accepts a template', function () {
const url = new Url({ urlTemplate: 'url: {{ value }}' });
const url = new Url({ urlTemplate: 'http://{{ value }}' });
const $a = unwrap($(url.convert('url', 'html')));
expect($a.is('a')).to.be(true);
expect($a.size()).to.be(1);
expect($a.attr('href')).to.be('url: url');
expect($a.attr('href')).to.be('http://url');
expect($a.attr('target')).to.be('_blank');
expect($a.children().size()).to.be(0);
});
Expand All @@ -61,11 +61,11 @@ describe('Url Format', function () {

describe('label template', function () {
it('accepts a template', function () {
const url = new Url({ labelTemplate: 'extension: {{ value }}' });
const url = new Url({ labelTemplate: 'extension: {{ value }}', urlTemplate: 'http://www.{{value}}.com' });
const $a = unwrap($(url.convert('php', 'html')));
expect($a.is('a')).to.be(true);
expect($a.size()).to.be(1);
expect($a.attr('href')).to.be('php');
expect($a.attr('href')).to.be('http://www.php.com');
expect($a.html()).to.be('extension: php');
});

Expand Down Expand Up @@ -109,5 +109,23 @@ describe('Url Format', function () {
});
});
});

describe('whitelist', function () {
it('should spit out the raw value if the value is not in the whitelist', function () {
const url = new Url();

expect(url.convert('www.elastic.co', 'html'))
.to.be('<span ng-non-bindable>www.elastic.co</span>');

expect(url.convert('elastic.co', 'html'))
.to.be('<span ng-non-bindable>elastic.co</span>');

expect(url.convert('elastic', 'html'))
.to.be('<span ng-non-bindable>elastic</span>');

expect(url.convert('ftp://elastic.co', 'html'))
.to.be('<span ng-non-bindable>ftp://elastic.co</span>');
});
});
});
});
7 changes: 6 additions & 1 deletion src/ui/public/stringify/types/url.js
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ import { getHighlightHtml } from 'ui/highlight';
export function stringifyUrl(Private) {

const FieldFormat = Private(IndexPatternsFieldFormatProvider);

const whitelistUrlSchemes = ['http://', 'https://'];

_.class(Url).inherits(FieldFormat);
function Url(params) {
Expand Down Expand Up @@ -102,6 +102,11 @@ export function stringifyUrl(Private) {

return `<img src="${url}" alt="${imageLabel}">`;
default:
const inWhitelist = whitelistUrlSchemes.some(scheme => url.indexOf(scheme) === 0);
if (!inWhitelist) {
return url;
}

let linkLabel;

if (hit && hit.highlight && hit.highlight[field.name]) {
Expand Down

0 comments on commit f5274c1

Please sign in to comment.