fix(link): respect custom protocols #5468

[nperez0111]

Changes Overview

When we fixed a XSS vuln, we inadvertently broke the ability to use custom protocols, this PR resolves that by allowing additional custom protocols to be considered valid and not stripped out

Implementation Approach

Testing Done

Verification Steps

Additional Notes

Checklist

• I have created a changeset for this PR if necessary.
• My changes do not break the library.
• I have added tests where applicable.
• I have followed the project guidelines.
• I have fixed any lint issues.

Related Issues

#5468

[changeset-bot]

🦋 Changeset detected

Latest commit: d766bd5

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 54 packages

Name	Type
@tiptap/extension-link	Patch
@tiptap/core	Patch
@tiptap/extension-blockquote	Patch
@tiptap/extension-bold	Patch
@tiptap/extension-bubble-menu	Patch
@tiptap/extension-bullet-list	Patch
@tiptap/extension-character-count	Patch
@tiptap/extension-code-block-lowlight	Patch
@tiptap/extension-code-block	Patch
@tiptap/extension-code	Patch
@tiptap/extension-collaboration-cursor	Patch
@tiptap/extension-collaboration	Patch
@tiptap/extension-color	Patch
@tiptap/extension-document	Patch
@tiptap/extension-dropcursor	Patch
@tiptap/extension-floating-menu	Patch
@tiptap/extension-focus	Patch
@tiptap/extension-font-family	Patch
@tiptap/extension-gapcursor	Patch
@tiptap/extension-hard-break	Patch
@tiptap/extension-heading	Patch
@tiptap/extension-highlight	Patch
@tiptap/extension-history	Patch
@tiptap/extension-horizontal-rule	Patch
@tiptap/extension-image	Patch
@tiptap/extension-italic	Patch
@tiptap/extension-list-item	Patch
@tiptap/extension-list-keymap	Patch
@tiptap/extension-mention	Patch
@tiptap/extension-ordered-list	Patch
@tiptap/extension-paragraph	Patch
@tiptap/extension-placeholder	Patch
@tiptap/extension-strike	Patch
@tiptap/extension-subscript	Patch
@tiptap/extension-superscript	Patch
@tiptap/extension-table-cell	Patch
@tiptap/extension-table-header	Patch
@tiptap/extension-table-row	Patch
@tiptap/extension-table	Patch
@tiptap/extension-task-item	Patch
@tiptap/extension-task-list	Patch
@tiptap/extension-text-align	Patch
@tiptap/extension-text-style	Patch
@tiptap/extension-text	Patch
@tiptap/extension-typography	Patch
@tiptap/extension-underline	Patch
@tiptap/extension-youtube	Patch
@tiptap/html	Patch
@tiptap/pm	Patch
@tiptap/react	Patch
@tiptap/starter-kit	Patch
@tiptap/suggestion	Patch
@tiptap/vue-2	Patch
@tiptap/vue-3	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[netlify]

✅ Deploy Preview for tiptap-embed ready!

Name	Link
🔨 Latest commit	d766bd5
🔍 Latest deploy log	https://app.netlify.com/sites/tiptap-embed/deploys/66b9bc809220c60008d7eefd
😎 Deploy Preview	https://deploy-preview-5470--tiptap-embed.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[rfgamaral]

@nperez0111 We've finally integrated the latest Tiptap version with our product, and unfortunately this change (actually, the main culprit is the XSS vulnerability fix change) is causing issues for us.

We've started getting loads of support tickets of people complaining that custom links copied from the most various apps could no longer be used to link text in the editor. To give a few examples, apps such as Airmail, Bear, Obsidian, give you links with custom protocols (i.e. airmail://, bear://, obsidian://), and these stopped working. As you can imagine, figuring out a list of all supported custom protocols for all the apps out there will be nearly impossible.

I'm wondering if it would make sense to rethink the approach here, and introduce a disallow list (with sane defaults) instead of an allow list? The downside is that registerCustomProtocol from linkify.js needs an allow list, but maybe we could refactor it like this:

• autolinkProtocols: allow list of protocols for linkify.js registerCustomProtocol
• disallowedProtocols: disallow list of protocols for link validation

What do you think?

Alternatively, here are a few more ideas (mutually exclusive):

• Provide an option to completely disable link validation
  • In the short term, and/or as a temporary measure, this could be an acceptable solution because it would allow us to go back to the previous behaviour (for the moment we have a patch to remove validation, but it would be awesome if we could get rid of this soon)
• Provide an option to fully customize link validation

As an aside, I think there's a bit of a disconnect between the default allowedProtocols list, and the registerCustomProtocol function. For instance, you are allowed to have links with the tel, callto, sms, cid, and xmpp protocols, but these are not auto-linked, because they are not registered as custom protocols (the other one seem to be accepted by linkify.js by default, despite not being directly registered either).

[nperez0111]

Hey @rfgamaral can you make a new issue for this? I think it warrants some discussion on the tradeoffs & I'm not sure that this is the best place for it.

I don't have the bandwidth right now to give my specific thoughts on it but I know it is important.

My not very well thought out thought is that we should just expose an API to let you choose how you want to handle this sort of a thing (I think there is an existing validate method that we could probably re-use for this). But I do think that the default behavior is quite valid & safe for a web-based editor that isn't really going to deal with custom protocols as much, but I of course understand your concern & it should be accounted for.

[rfgamaral]

@nperez0111 Done: #5564. Let's continue the discussion there.