From 410e6c00318d9e0408954a52deca47e6284dea4a Mon Sep 17 00:00:00 2001
From: gtsp233 <gtsp233@gmail.com>
Date: Thu, 30 Nov 2023 23:56:07 -0500
Subject: [PATCH] add conditional check to block javascript: URLs

---
 src/components/placeholder/PlaceholderEmbed.tsx | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/components/placeholder/PlaceholderEmbed.tsx b/src/components/placeholder/PlaceholderEmbed.tsx
index bbac9b9..443302b 100644
--- a/src/components/placeholder/PlaceholderEmbed.tsx
+++ b/src/components/placeholder/PlaceholderEmbed.tsx
@@ -6,12 +6,15 @@ import { BorderSpinner } from './parts/BorderSpinner';
 import { EngagementIconsPlaceholder } from './parts/EngagementIconsPlaceholder';
 import { ProfilePlaceholder } from './parts/ProfilePlaceholder';
 
+const isJavaScriptProtocol = /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i
+
 export interface PlaceholderEmbedProps extends DivProps {
   url: string;
   linkText?: string;
   imageUrl?: string;
   spinner?: React.ReactNode;
   spinnerDisabled?: boolean;
+  allowJavaScriptUrls?: boolean;
 }
 
 export const PlaceholderEmbed = ({
@@ -19,9 +22,16 @@ export const PlaceholderEmbed = ({
   linkText = 'View post',
   imageUrl,
   spinner = <BorderSpinner />,
+  allowJavaScriptUrls = true,
   spinnerDisabled,
   ...divProps
 }: PlaceholderEmbedProps) => {
+
+  if (isJavaScriptProtocol.test(url) && !allowJavaScriptUrls) {
+    console.warn(`PlaceholderEmbed has blocked a javascript: URL as a security precaution`);
+    return null;
+  }
+
   return (
     <div
       {...divProps}