fix: change sanitizeUrl to handle URLs without a protocol schema (#36317)

6 months ago · ba0cbd3265
parent 4ba5cd095c
commit ba0cbd3265
3 changed files with 21 additions and 9 deletions
--- a/.changeset/flat-buckets-doubt.md
+++ b/.changeset/flat-buckets-doubt.md
@ -0,0 +1,6 @@
+---
+'@rocket.chat/gazzodown': patch
+'@rocket.chat/meteor': patch
+---
+
+Fixes an issue that causes legitimate URLs to return '#' in links
--- a/packages/gazzodown/src/elements/sanitizeUrl.spec.ts
+++ b/packages/gazzodown/src/elements/sanitizeUrl.spec.ts
@ -95,10 +95,6 @@ describe('sanitizeUrl', () => {
 		});
 	});

-	it('sanitizes malformed URLs', () => {
-		expect(sanitizeUrl('ht^tp://broken')).toBe('#');
-	});
-
 	it('sanitizes empty string', () => {
 		expect(sanitizeUrl('')).toBe('#');
 	});
@ -107,7 +103,7 @@ describe('sanitizeUrl', () => {
 		expect(sanitizeUrl('JAVASCRIPT:alert(1)')).toBe('#');
 	});

-	it('sanitizes nonsense input', () => {
-		expect(sanitizeUrl('💣💥🤯')).toBe('#');
+	it('allows bare domain names', () => {
+		expect(sanitizeUrl('example.com/page')).toBe('//example.com/page');
 	});
 });
--- a/packages/gazzodown/src/elements/sanitizeUrl.ts
+++ b/packages/gazzodown/src/elements/sanitizeUrl.ts
@ -1,8 +1,18 @@
 export const sanitizeUrl = (href: string) => {
+	if (!href) {
+		return '#';
+	}
+
 	try {
-		const url = new URL(href);
-		const dangerousProtocols = ['javascript:', 'data:', 'vbscript:'];
-		return dangerousProtocols.includes(url.protocol.toLowerCase()) ? '#' : url.href;
+		const hasProtocol = /^[a-zA-Z][a-zA-Z\d+\-.]*:/.test(href);
+
+		if (hasProtocol) {
+			const url = new URL(href);
+			const dangerousProtocols = ['javascript:', 'data:', 'vbscript:'];
+			return dangerousProtocols.includes(url.protocol.toLowerCase()) ? '#' : url.href;
+		}
+
+		return `//${href}`;
 	} catch {
 		return '#';
 	}