feat: validate URL schemes in SideNavItem, BreadcrumbsItem and Credits#9447
Draft
Artur- wants to merge 3 commits into
Draft
feat: validate URL schemes in SideNavItem, BreadcrumbsItem and Credits#9447Artur- wants to merge 3 commits into
Artur- wants to merge 3 commits into
Conversation
Mirror the Flow URL-scheme validation (vaadin/flow#24539) for the navigation and link sinks: SideNavItem#setPath, BreadcrumbsItem#setPath and Credits#setHref now reject URLs whose scheme is not considered safe, using UrlUtil#isSafeUrl and the shared UrlUtil#getUnsafeUrlMessage. Safe schemes are configured through the com.vaadin.safeUrlSchemes property and default to http, https, mailto, tel and ftp. For trusted, hard-coded URLs each sink offers an unsafe variant that bypasses validation: SideNavItem#setUnsafePath, BreadcrumbsItem#setUnsafePath and Credits#setUnsafeHref. Image and resource sinks (Avatar, SvgIcon, map and chart resource URLs) are intentionally left unvalidated: javascript: cannot execute there and data: URLs are a legitimate, common use.
* Update `SideNavItem` Javadoc to document unsafe scheme exceptions for constructors taking a path. * Update `BreadcrumbsItem` Javadoc to document unsafe scheme exceptions for constructors taking a path. * Add tests verifying that `IllegalArgumentException` is thrown when constructing items with unsafe URL schemes like `javascript:`.
* Update `AbstractLogin` to validate action URL schemes by default, throwing an `IllegalArgumentException` if an unsafe scheme (e.g., `javascript:`) is detected. * Introduce a new `setUnsafeAction(String)` method to set the action URL without validation for controlled scenarios like hard-coded internal links. * Add unit tests verifying that safe actions work as expected while unsafe schemes trigger exceptions in the default constructor but succeed when using `setUnsafeAction`.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Mirror the Flow URL-scheme validation (vaadin/flow#24539) for the navigation and link sinks: SideNavItem#setPath, BreadcrumbsItem#setPath and Credits#setHref now reject URLs whose scheme is not considered safe, using UrlUtil#isSafeUrl and the shared UrlUtil#getUnsafeUrlMessage.
Safe schemes are configured through the com.vaadin.safeUrlSchemes property and default to http, https, mailto, tel and ftp. For trusted, hard-coded URLs each sink offers an unsafe variant that bypasses validation: SideNavItem#setUnsafePath, BreadcrumbsItem#setUnsafePath and Credits#setUnsafeHref.
Image and resource sinks (Avatar, SvgIcon, map and chart resource URLs) are intentionally left unvalidated: javascript: cannot execute there and data: URLs are a legitimate, common use.