@ckeditor/ckeditor5-link - npm Package Compare versions

Comparing version 10.0.0 to 10.0.1

CHANGELOG.md

		Changelog
		=========

		## [10.0.1](https://github.com/ckeditor/ckeditor5-link/compare/v10.0.0...v10.0.1) (2018-05-22)

		### Bug fixes

		* Fixed a cross-site scripting (XSS) vulnerability which allowed remote attackers to inject arbitrary web script through a crafted href attribute of a link (A) element. [CVE-2018-11093](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11093). ([8cb782e](https://github.com/ckeditor/ckeditor5-link/commit/8cb782e))

		This issue was reported indepdentently by Toan Chi Nguyen from [Techlab Corporation](https://www.techlabcorp.com/) and [Michal Bazyli](https://www.linkedin.com/in/michal-bazyli-6a3111144/). Thank you!


		## [10.0.0](https://github.com/ckeditor/ckeditor5-link/compare/v1.0.0-beta.4...v10.0.0) (2018-04-25)
		@@ -5,0 +14,0 @@

package.json

		{
		"name": "@ckeditor/ckeditor5-link",
		"version": "10.0.0",
		"version": "10.0.1",
		"description": "Link feature for CKEditor 5.",
		@@ -5,0 +5,0 @@ "keywords": [

src/linkediting.js

		@@ -17,3 +17,3 @@ /**
		import UnlinkCommand from './unlinkcommand';
		import { createLinkElement } from './utils';
		import { createLinkElement, ensureSafeUrl } from './utils';
		import bindTwoStepCaretToAttribute from '@ckeditor/ckeditor5-engine/src/utils/bindtwostepcarettoattribute';
		@@ -42,5 +42,10 @@ import findLinkRange from './findlinkrange';

		editor.conversion.for( 'downcast' )
		editor.conversion.for( 'dataDowncast' )
		.add( downcastAttributeToElement( { model: 'linkHref', view: createLinkElement } ) );

		editor.conversion.for( 'editingDowncast' )
		.add( downcastAttributeToElement( { model: 'linkHref', view: ( href, writer ) => {
		return createLinkElement( ensureSafeUrl( href ), writer );
		} } ) );

		editor.conversion.for( 'upcast' )
		@@ -47,0 +52,0 @@ .add( upcastElementToAttribute( {

src/ui/linkactionsview.js

		@@ -19,2 +19,4 @@ /**

		import { ensureSafeUrl } from '../utils';

		import unlinkIcon from '../../theme/icons/unlink.svg';
		@@ -210,3 +212,3 @@ import pencilIcon from '@ckeditor/ckeditor5-core/theme/icons/pencil.svg';
		],
		href: bind.to( 'href' ),
		href: bind.to( 'href', href => href && ensureSafeUrl( href ) ),
		target: '_blank'
		@@ -213,0 +215,0 @@ }

src/utils.js

		@@ -12,2 +12,5 @@ /**

		const ATTRIBUTE_WHITESPACES = /[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205f\u3000]/g; // eslint-disable-line no-control-regex
		const SAFE_URL = /^(?:(?:https?\|ftps?\|mailto):\|[^a-z]\|[a-z+.-]+(?:[^a-z+.:-]\|$))/i;

		/**
		@@ -36,1 +39,27 @@ * Returns `true` if a given view node is the link element.
		}

		/**
		* Returns a safe URL based on a given value.
		*
		* An URL is considered safe if it is safe for the user (does not contain any malicious code).
		*
		* If URL is considered unsafe, a simple `"#"` is returned.
		*
		* @protected
		* @param {*} url
		* @returns {String} Safe URL.
		*/
		export function ensureSafeUrl( url ) {
		url = String( url );

		return isSafeUrl( url ) ? url : '#';
		}

		// Checks whether the given URL is safe for the user (does not contain any malicious code).
		//
		// @param {String} url URL to check.
		function isSafeUrl( url ) {
		const normalizedUrl = url.replace( ATTRIBUTE_WHITESPACES, '' );

		return normalizedUrl.match( SAFE_URL );
		}

New alerts