yan/gitea
1
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-04-25 20:19:47 +08:00
Code Issues Packages Projects Releases Wiki Activity

Harden render iframe open-link handling (#36811)

Browse Source 
This PR hardens the handling of the “open-link” action in render iframes
(external rendering iframes). It prevents iframes from triggering unsafe
or unintended redirects or opening new windows via postMessage.

Additionally, it improves iframe height reporting to reduce scrollbar
and height mismatch issues, and adds unit test coverage.

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This commit is contained in:
Lunny Xiao
2026-03-03 23:15:33 -08:00
committed by GitHub
parent b874e0d8e5
commit 315b947740
3 changed files with 92 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
web_src/js/markup/render-iframe.test.ts Normal file
View File

@@ -0,0 +1,46 @@
import {navigateToIframeLink} from './render-iframe.ts';
describe('navigateToIframeLink', () => {
const openSpy = vi.spyOn(window, 'open').mockImplementation(() => null);
const assignSpy = vi.spyOn(window.location, 'assign').mockImplementation(() => undefined);
test('safe links', () => {
navigateToIframeLink('http://example.com', '_blank');
expect(openSpy).toHaveBeenCalledWith('http://example.com/', '_blank', 'noopener,noreferrer');
vi.clearAllMocks();
navigateToIframeLink('https://example.com', '_self');
expect(assignSpy).toHaveBeenCalledWith('https://example.com/');
vi.clearAllMocks();
navigateToIframeLink('https://example.com', null);
expect(assignSpy).toHaveBeenCalledWith('https://example.com/');
vi.clearAllMocks();
navigateToIframeLink('/path', '');
expect(assignSpy).toHaveBeenCalledWith('http://localhost:3000/path');
vi.clearAllMocks();
// input can be any type & any value, keep the same behavior as `window.location.href = 0`
navigateToIframeLink(0, {});
expect(assignSpy).toHaveBeenCalledWith('http://localhost:3000/0');
vi.clearAllMocks();
});
test('unsafe links', () => {
window.location.href = 'http://localhost:3000/';
// eslint-disable-next-line no-script-url
navigateToIframeLink('javascript:void(0);', '_blank');
expect(openSpy).toHaveBeenCalledTimes(0);
expect(assignSpy).toHaveBeenCalledTimes(0);
expect(window.location.href).toBe('http://localhost:3000/');
vi.clearAllMocks();
navigateToIframeLink('data:image/svg+xml;utf8,<svg></svg>', '');
expect(openSpy).toHaveBeenCalledTimes(0);
expect(assignSpy).toHaveBeenCalledTimes(0);
expect(window.location.href).toBe('http://localhost:3000/');
vi.clearAllMocks();
});
});