Prevent links from being rendered in user bios (#13643)

diox · web-flow · commit b902612c188a · 2025-06-25T11:22:13.000+02:00
* Prevent links from being rendered in user bios
diff --git a/src/amo/pages/UserProfile/index.js b/src/amo/pages/UserProfile/index.js
@@ -416,7 +416,10 @@ export class UserProfileBase extends React.Component<InternalProps> {
                   >
                     <div
                       // eslint-disable-next-line react/no-danger
-                      dangerouslySetInnerHTML={sanitizeUserHTML(user.biography)}
+                      dangerouslySetInnerHTML={sanitizeUserHTML(
+                        user.biography,
+                        { allowLinks: false },
+                      )}
                     />
                   </Definition>
                 ) : null}
diff --git a/src/amo/utils/index.js b/src/amo/utils/index.js
@@ -220,9 +220,11 @@ export function nl2br(text: ?string): string {
  * Developer Hub when you hover over the *Some HTML Supported* link under
  * the textarea field.
  */
-export function sanitizeUserHTML(text: ?string): {| __html: string |} {
-  return sanitizeHTML(nl2br(text), [
-    'a',
+export function sanitizeUserHTML(
+  text: ?string,
+  { allowLinks = true }: { allowLinks: boolean } = {},
+): {| __html: string |} {
+  const allowTags = [
     'abbr',
     'acronym',
     'b',
@@ -235,7 +237,11 @@ export function sanitizeUserHTML(text: ?string): {| __html: string |} {
     'ol',
     'strong',
     'ul',
-  ]);
+  ];
+  if (allowLinks === true) {
+    allowTags.unshift('a');
+  }
+  return sanitizeHTML(nl2br(text), allowTags);
 }
 
 export function isAddonAuthor({
diff --git a/tests/unit/amo/pages/TestUserProfile.js b/tests/unit/amo/pages/TestUserProfile.js
@@ -379,6 +379,22 @@ describe(__filename, () => {
     ).toHaveTextContent(biographyText);
   });
 
+  it('does not render links in biography', () => {
+    const biographyText = 'Veni vidi vici';
+    const biography = `<a href="//example.com"><b>${biographyText}</b></a>`;
+    signInUserAndRenderUserProfile({ biography });
+
+    expect(screen.getByText('Biography')).toBeInTheDocument();
+    expect(screen.getByClassName('UserProfile-biography')).toHaveTextContent(
+      biographyText,
+    );
+    expect(
+      within(screen.getByClassName('UserProfile-biography')).queryByTagName(
+        'a',
+      ),
+    ).not.toBeInTheDocument();
+  });
+
   it('omits a null biography', () => {
     signInUserAndRenderUserProfile({ biography: null });
 
diff --git a/tests/unit/amo/utils/test_index.js b/tests/unit/amo/utils/test_index.js
@@ -672,6 +672,14 @@ describe(__filename, () => {
       expect(sanitize(customHtml)).toEqual(customHtml);
     });
 
+    it('can disallow links', () => {
+      const customHtml =
+        '<b>check</b> <i>out</i> <a href="http://mysite">my site</a>';
+      expect(sanitize(customHtml, { allowLinks: false })).toEqual(
+        '<b>check</b> <i>out</i> my site',
+      );
+    });
+
     it('does not allow certain tags', () => {
       expect(
         sanitize('<b>my add-on</b> <script>alert("does XSS")</script>'),
