Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: isAllowedURI disregards custom protocols #5468

Closed
1 task done
Nantris opened this issue Aug 11, 2024 · 7 comments
Closed
1 task done

[Bug]: isAllowedURI disregards custom protocols #5468

Nantris opened this issue Aug 11, 2024 · 7 comments
Labels
Category: Open Source The issue or pull reuqest is related to the open source packages of Tiptap. Type: Bug The issue or pullrequest is related to a bug

Comments

@Nantris
Copy link
Contributor

Nantris commented Aug 11, 2024

Affected Packages

extension-link

Version(s)

2.5.9

Bug Description

The link extension accepts custom protocols, but then it rejects them anyway since the XSS fix: https://github.com/ueberdosis/tiptap/blob/84febb29c7092ba0393af78fb44be29e0befa3f4/packages/extension-link/src/link.ts#L112C9-L114C1

Browser Used

Chrome

Code Example URL

No response

Expected Behavior

Custom protocols should be allowed - eg file:// is necessary in our case.

Additional Context (Optional)

No response

Dependency Updates

  • Yes, I've updated all my dependencies.
@Nantris Nantris added Category: Open Source The issue or pull reuqest is related to the open source packages of Tiptap. Type: Bug The issue or pullrequest is related to a bug labels Aug 11, 2024
@github-project-automation github-project-automation bot moved this to Triage open in Tiptap Aug 11, 2024
@Nantris
Copy link
Contributor Author

Nantris commented Aug 11, 2024

Suggest change: Make isAllowedURI accept a custom checker function to use in addition to the default logic (not instead of it.)

@nperez0111
Copy link
Contributor

Good catch, I think that we need to respect the protocols that have been allowed.
Maybe, if there is need for a custom checker function we can add it later, but the current bug is that it is not respecting the protocols option.

nperez0111 added a commit that referenced this issue Aug 12, 2024
@nperez0111
fix(link): respect custom protocols #5468
d766bd5
@kolaente kolaente mentioned this issue Aug 12, 2024
Closed
@nperez0111 nperez0111 mentioned this issue Aug 13, 2024
Merged
5 tasks
nperez0111 added a commit that referenced this issue Aug 15, 2024
@nperez0111
fix(link): respect custom protocols #5468 (#5470)
593f107 
When [we fixed a XSS vuln](#5160), we inadvertently broke the ability to use custom protocols, this resolves that by allowing additional custom protocols to be considered valid and not stripped out
@github-actions github-actions bot mentioned this issue Aug 15, 2024
Merged
@rfgamaral
Copy link
Contributor

@nperez0111 Same as this one, latest releases says this is fixed, but issue is still opened.

@nperez0111
Copy link
Contributor

Yep this is resolved

@github-project-automation github-project-automation bot moved this from Triage open to Done in Tiptap Aug 19, 2024
@Nantris
Copy link
Contributor Author

Nantris commented Aug 20, 2024

I think a custom checker function would be better. This approach still disallows our custom links if they don't start with a protocol (they're transformed to include protocols elsewhere in our code, since we control the execution environment) and it forces inclusion of unsupported protocols - we don't support cid, xmpp, etc

We still have to patch in ~50 lines, essentially copied from @tiptap/link-extension, to allow our links to work.

It's not feasible for us to adapt to the current approach. I understand if you feel this is not worth implementing, but it's disappointing to have to duplicate 50 lines of code just to add an ability to pass a custom checker function (2 lines of code.)

@nperez0111
Copy link
Contributor

Appreciate the concern here @Nantris if you like could you create a PR to see that this is addressed?

Obviously my main concern was fixing the regression so I prioritized that. Now that we have that fixed we can figure out the better solution. It is already strange with a validate function and custom protocol handling I do feel a custom checker is in order with some of our changes as a default that can be overriden or something

@Nantris
Copy link
Contributor Author

Nantris commented Aug 21, 2024

Thanks for the reply @nperez0111! I'll be happy to do so. It's not a high priority right now since I'm running behind on other things, but I'd love to eliminate the code duplication so I'll definitely loop back on this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Category: Open Source The issue or pull reuqest is related to the open source packages of Tiptap. Type: Bug The issue or pullrequest is related to a bug
Projects
No open projects
Tiptap
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rfgamaral @nperez0111 @Nantris