From 11ae187eceb38fa7ebfbe139bb46889a9a7c0d30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sa=C3=BAl=20Ibarra=20Corretg=C3=A9?= Date: Fri, 25 Sep 2020 12:02:46 +0200 Subject: [PATCH] fix(chat) prevent homograph attacks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Decode URLs using punycode when rendering, so when http://ebаy.com is sent we render http://xn--eby-7cd.com/ instead. Ref: https://github.com/tasti/react-linkify/issues/84 --- package-lock.json | 5 +++++ package.json | 1 + react/features/base/react/components/native/Linkify.js | 3 ++- react/features/base/react/components/web/Linkify.js | 3 ++- 4 files changed, 10 insertions(+), 2 deletions(-) diff --git a/package-lock.json b/package-lock.json index 44bb260c2e..5bad25210c 100644 --- a/package-lock.json +++ b/package-lock.json @@ -13141,6 +13141,11 @@ } } }, + "punycode": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.1.1.tgz", + "integrity": "sha512-XRsRjdf+j5ml+y/6GKHPZbrF/8p2Yga0JPtdqTIY2Xe5ohJPD9saDJJLPvp9+NSBprVvevdXZybnj2cv8OEd0A==" + }, "q": { "version": "1.5.1", "resolved": "https://registry.npmjs.org/q/-/q-1.5.1.tgz", diff --git a/package.json b/package.json index 771ed41cc7..3063377d84 100644 --- a/package.json +++ b/package.json @@ -63,6 +63,7 @@ "moment-duration-format": "2.2.2", "olm": "https://packages.matrix.org/npm/olm/olm-3.1.4.tgz", "pixelmatch": "5.1.0", + "punycode": "2.1.1", "react": "16.9", "react-dom": "16.9", "react-emoji-render": "1.2.4", diff --git a/react/features/base/react/components/native/Linkify.js b/react/features/base/react/components/native/Linkify.js index fec05a1b4d..ccceb77a9c 100644 --- a/react/features/base/react/components/native/Linkify.js +++ b/react/features/base/react/components/native/Linkify.js @@ -1,5 +1,6 @@ // @flow +import punycode from 'punycode'; import React, { Component } from 'react'; import ReactLinkify from 'react-linkify'; import { Text } from 'react-native'; @@ -68,7 +69,7 @@ export default class Linkify extends Component { key = { key } style = { this.props.linkStyle } url = { decoratedHref }> - {decoratedText} + { punycode.toASCII(decoratedText) } ); } diff --git a/react/features/base/react/components/web/Linkify.js b/react/features/base/react/components/web/Linkify.js index f813c71870..57219f8a5a 100644 --- a/react/features/base/react/components/web/Linkify.js +++ b/react/features/base/react/components/web/Linkify.js @@ -1,5 +1,6 @@ // @flow +import punycode from 'punycode'; import React, { Component } from 'react'; import ReactLinkify from 'react-linkify'; @@ -44,7 +45,7 @@ export default class Linkify extends Component { key = { key } rel = 'noopener noreferrer' target = '_blank'> - {decoratedText} + { punycode.toASCII(decoratedText) } ); }