Merge pull request #4324 from Ry0taK/feature/secure-links-by-default

Tyriar · web-flow · commit 902da2800b42 · 2022-12-16T09:32:54.000-08:00
Add allowNonHttpProtocols option to ILinkHandler
diff --git a/src/browser/OscLinkProvider.ts b/src/browser/OscLinkProvider.ts
@@ -66,14 +66,30 @@ export class OscLinkProvider implements ILinkProvider {
               y
             }
           };
-          // OSC links always use underline and pointer decorations
-          result.push({
-            text,
-            range,
-            activate: (e, text) => (linkHandler ? linkHandler.activate(e, text, range) : defaultActivate(e, text)),
-            hover: (e, text) => linkHandler?.hover?.(e, text, range),
-            leave: (e, text) => linkHandler?.leave?.(e, text, range)
-          });
+
+          let ignoreLink = false;
+          if (!linkHandler?.allowNonHttpProtocols) {
+            try {
+              const parsed = new URL(text);
+              if (!['http:', 'https:'].includes(parsed.protocol)) {
+                ignoreLink = true;
+              }
+            } catch (e) {
+              // Ignore invalid URLs to prevent unexpected behaviors
+              ignoreLink = true;
+            }
+          }
+
+          if (!ignoreLink) {
+            // OSC links always use underline and pointer decorations
+            result.push({
+              text,
+              range,
+              activate: (e, text) => (linkHandler ? linkHandler.activate(e, text, range) : defaultActivate(e, text)),
+              hover: (e, text) => linkHandler?.hover?.(e, text, range),
+              leave: (e, text) => linkHandler?.leave?.(e, text, range)
+            });
+          }
         }
         finishLink = false;
 
diff --git a/typings/xterm.d.ts b/typings/xterm.d.ts
@@ -1179,6 +1179,13 @@ declare module 'xterm' {
       * @param range The buffer range of the link.
       */
      leave?(event: MouseEvent, text: string, range: IBufferRange): void;
+    
+     /**
+      * Whether to receive non-HTTP URLs from LinkProvider. When false, any usage of non-HTTP URLs
+      * will be ignored. Enabling this option without proper protection in `activate` function
+      * may cause security issues such as XSS.
+      */
+     allowNonHttpProtocols?: boolean;
   }
 
   /**
