From 7bc376300cea89de28e1368c3dcdf25e4ba4e2c0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sampo=20Kivist=C3=B6?= <sampo.kivisto@visma.com>
Date: Fri, 17 Jun 2022 14:09:19 +0300
Subject: [PATCH] Added warning in development mode when rendering link with
 javascript:url, fixes Github https://github.com/infernojs/inferno/issues/1594

---
 packages/inferno/__tests__/link.spec.tsx | 54 ++++++++++++++++++++++++
 packages/inferno/src/DOM/props.ts        |  7 ++-
 2 files changed, 60 insertions(+), 1 deletion(-)
 create mode 100644 packages/inferno/__tests__/link.spec.tsx

diff --git a/packages/inferno/__tests__/link.spec.tsx b/packages/inferno/__tests__/link.spec.tsx
new file mode 100644
index 000000000..468b11cdc
--- /dev/null
+++ b/packages/inferno/__tests__/link.spec.tsx
@@ -0,0 +1,54 @@
+/* tslint:disable:no-console */
+import { render } from 'inferno';
+
+describe('Links', () => {
+  let container;
+
+  beforeEach(function () {
+    container = document.createElement('div');
+    document.body.appendChild(container);
+  });
+
+  afterEach(function () {
+    render(null, container);
+    container.innerHTML = '';
+    document.body.removeChild(container);
+  });
+
+  describe('javascript href', function () {
+    it('Should log warning when rendering link starting with javascript::', function () {
+      spyOn(console, 'error');
+
+      render(<a href="javascript:foobar">test</a>, container);
+
+      expect(console.error).toHaveBeenCalledTimes(1);
+      expect(console.error).toHaveBeenCalledWith(
+        'Rendering links with javascript: URLs is not recommended. Use event handlers instead if you can. Inferno was passed "javascript:foobar".'
+      );
+      expect(container.innerHTML).toEqual('<a href="javascript:foobar">test</a>');
+    });
+
+    it('Should allow patching link to null', function () {
+      spyOn(console, 'error');
+
+      render(<a href="javascript:foobar">test</a>, container);
+
+      expect(console.error).toHaveBeenCalledTimes(1);
+
+      render(<a>test</a>, container);
+
+      expect(console.error).toHaveBeenCalledTimes(1);
+
+      expect(container.innerHTML).toEqual('<a>test</a>');
+    });
+
+    it('Should not log warning when rendering regular link', function () {
+      spyOn(console, 'error');
+
+      render(<a href="https://github.com/infernojs/inferno">test</a>, container);
+
+      expect(console.error).toHaveBeenCalledTimes(0);
+      expect(container.innerHTML).toEqual('<a href="https://github.com/infernojs/inferno">test</a>');
+    });
+  });
+});
diff --git a/packages/inferno/src/DOM/props.ts b/packages/inferno/src/DOM/props.ts
index c40d480cf..80bb5c008 100644
--- a/packages/inferno/src/DOM/props.ts
+++ b/packages/inferno/src/DOM/props.ts
@@ -1,6 +1,6 @@
 import type { VNode } from '../core/types';
 import { namespaces } from './constants';
-import { isNull, isNullOrUndef, isString } from 'inferno-shared';
+import { isNull, isNullOrUndef, isString, warning } from 'inferno-shared';
 import { handleSyntheticEvent, syntheticEvents } from './events/delegation';
 import { ChildFlags, VNodeFlags } from 'inferno-vnode-flags';
 import { isSameInnerHTML } from './utils/innerHTML';
@@ -159,6 +159,11 @@ export function patchProp(
         // If we end up in this path we can read property again
         dom.setAttributeNS(namespaces[prop], prop, nextValue);
       } else {
+        if (process.env.NODE_ENV !== 'production') {
+          if (prop === 'href' && isString(nextValue) && nextValue.indexOf('javascript:') === 0) {
+            warning('Rendering links with javascript: URLs is not recommended. Use event handlers instead if you can. Inferno was passed "' + nextValue + '".');
+          }
+        }
         dom.setAttribute(prop, nextValue);
       }
       break;