fix(dashboard): sanitize href input in text widget

awslabs · Aug 6, 2024 · 6c2bd5f · 6c2bd5f
1 parent 982b23f
commit 6c2bd5f
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 2 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/dashboard/package.json b/packages/dashboard/package.json
@@ -66,6 +66,7 @@
     "@types/papaparse": "^5.3.10",
     "@types/react": "^18.2.12",
     "@types/react-dom": "^18.2.5",
+    "@types/validator": "^13.12.0",
     "css-loader": "6.8.1",
     "dotenv": "^16.3.1",
     "eslint-config-iot-app-kit": "10.10.1",

diff --git a/packages/dashboard/src/customization/widgets/text/link/index.tsx b/packages/dashboard/src/customization/widgets/text/link/index.tsx
@@ -2,7 +2,9 @@ import type { CSSProperties } from 'react';
 import React from 'react';
 import { defaultFontSettings } from '../styledText/defaultFontSettings';
 import type { TextWidget } from '../../types';
-import isValidUrl from 'is-url';
+// import isValidUrl from 'is-url';
+import DOMPurify from 'dompurify';
+import { isURL } from 'validator';
 
 type TextLinkProps = TextWidget;
 
@@ -23,7 +25,9 @@ const TextLink: React.FC<TextLinkProps> = (widget) => {
     color: fontColor,
   };
 
-  const renderedHref = href && isValidUrl(href) ? href : undefined;
+  const sanitizedHref = href ? DOMPurify.sanitize(href) : undefined;
+  const isValidUrl = sanitizedHref ? isURL(sanitizedHref) : false;
+  const renderedHref = isValidUrl ? sanitizedHref : undefined;
 
   return (
     <a href={renderedHref} className={className} style={style}>