Merge branch 'djadmin-dompurify-allow-non-http-links' into 'master'

DOMPurify: Allow non-http links in urls

See merge request gitlab-org/gitlab!91491

app/assets/javascripts/lib/dompurify.js

@@ -8,6 +8,7 @@ const defaultConfig = {
   // See https://gitlab.com/gitlab-org/gitlab-ui/-/issues/1421
   FORBID_ATTR: ['data-remote', 'data-url', 'data-type', 'data-method'],
   FORBID_TAGS: ['style', 'mstyle'],
+  ALLOW_UNKNOWN_PROTOCOLS: true,
 };
 
 // Only icons urls from `gon` are allowed

spec/frontend/lib/dompurify_spec.js

@@ -34,6 +34,17 @@ const unsafeUrls = [
   `${absoluteGon.sprite_file_icons}/../../https://evil.url`,
 ];
 
+/* eslint-disable no-script-url */
+const invalidProtocolUrls = [
+  'javascript:alert(1)',
+  'jAvascript:alert(1)',
+  'data:text/html,<script>alert(1);</script>',
+  ' javascript:',
+  'javascript :',
+];
+/* eslint-enable no-script-url */
+const validProtocolUrls = ['slack://open', 'x-devonthink-item://90909', 'x-devonthink-item:90909'];
+
 const forbiddenDataAttrs = ['data-remote', 'data-url', 'data-type', 'data-method'];
 const acceptedDataAttrs = ['data-random', 'data-custom'];
 
@@ -150,4 +161,16 @@ describe('~/lib/dompurify', () => {
       expect(sanitize(htmlHref)).toBe(`<a ${attrWithValue}>hello</a>`);
     });
   });
+
+  describe('with non-http links', () => {
+    it.each(validProtocolUrls)('should allow %s', (url) => {
+      const html = `<a href="${url}">internal link</a>`;
+      expect(sanitize(html)).toBe(`<a href="${url}">internal link</a>`);
+    });
+
+    it.each(invalidProtocolUrls)('should not allow %s', (url) => {
+      const html = `<a href="${url}">internal link</a>`;
+      expect(sanitize(html)).toBe(`<a>internal link</a>`);
+    });
+  });
 });