Merge pull request #1204 from prezly/feature/dev-18822-blockstream-vu…

…lnerability-report-xss-reflected [DEV-18822] Fix - Validate URL to prevent XSS vulnerability on untrusted param
prezly · Dec 17, 2024 · 5c2fc33 · 5c2fc33
2 parents 27b2b36 + 749a071
commit 5c2fc33
Showing 1 changed file with 23 additions and 3 deletions.
diff --git a/modules/Header/ui/Header.tsx b/modules/Header/ui/Header.tsx
@@ -144,13 +144,14 @@ export function Header({
     }, [props.logoSize, searchParams]);
 
     const mainSiteUrl = useMemo(() => {
-        const mainSiteUrlPreview = searchParams.get('main_site_url');
+        const mainSiteUrlPreview = validateUrl(searchParams.get('main_site_url'));
+
         if (mainSiteUrlPreview) {
-            return new URL(mainSiteUrlPreview);
+            return mainSiteUrlPreview;
         }
 
         if (props.mainSiteUrl) {
-            return new URL(props.mainSiteUrl);
+            return validateUrl(props.mainSiteUrl);
         }
 
         return null;
@@ -299,3 +300,22 @@ function humanizeUrl(url: URL) {
     const string = url.hostname.replace(/^www\./, '');
     return string.charAt(0).toUpperCase() + string.slice(1);
 }
+
+function validateUrl(url: string | null) {
+    if (!url) return null;
+
+    try {
+        const normalizedUrl =
+            url.startsWith('http://') || url.startsWith('https://') ? url : `https://${url}`;
+
+        const parsedUrl = new URL(normalizedUrl);
+
+        if (parsedUrl.protocol !== 'http:' && parsedUrl.protocol !== 'https:') {
+            return null;
+        }
+
+        return parsedUrl;
+    } catch {
+        return null;
+    }
+}