pref: use whitelist for allowed href values #6499
Conversation
f2c-ci-robot
bot
added
kind/improvement
|
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #6499 +/- ##
============================================
+ Coverage 58.18% 58.22% +0.04%
- Complexity 3774 3775 +1
============================================
Files 651 651
Lines 22125 22128 +3
Branches 1538 1538
============================================
+ Hits 12873 12885 +12
+ Misses 8641 8634 -7
+ Partials 611 609 -2 ☔ View full report in Codecov by Sentry. |
|
除此之外,建议升级 tiptap 的依赖至 https://github.com/ueberdosis/tiptap/releases/tag/v2.6.4 以上,其中 升级依赖可以单独提交 PR。 |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ruibaby The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
f2c-ci-robot
bot
added
the
approved
What type of PR is this?
/kind improvement
/area editor
/milestone 2.19.x
What this PR does / why we need it:
使用白名单校验替换原有的黑名单校验,解决 a 标签潜在的安全问题。
移除自定义的解决方案,使用 Tiptap 所提供的白名单方案。
How to test it?
测试 a 标签的 href 链接是否会受到 xss 的影响。
同时测试 #5479 的情况是否还会发生。即默认富文本编辑器中当链接为纯数字时是否还会报错。
Does this PR introduce a user-facing change?