fix(security): harden external-link opening (protocol allow-list + noopener)

URLs reached window.open from user/server-controlled content without a protocol check or noopener, allowing reverse-tabnabbing and (for the chat link handler) a javascript:/data: href running in our origin. - add isSafeExternalUrl() (http/https only) + tests; gate the chat link opener (useOnClickChat) and external photo opener with it - SanitizeHtml: afterSanitizeAttributes hook forces rel="noopener noreferrer" on any target=_blank anchor (overrides attacker-supplied rel) - add noopener,noreferrer to the remaining window.open(_blank) sites (YouTube share, external photo, guide forum link); drop a stray console.log
2026-06-20 15:36:18 +00:00 · 2026-06-17 19:12:01 +02:00
parent 301294ecf4
commit 24d10aced1
9 changed files with 106 additions and 9 deletions
@@ -1,6 +1,6 @@
 import { FC } from 'react';
 import { GetSessionDataManager } from '@nitrots/nitro-renderer';
-import { GetConfigurationValue, LocalizeText, ReportType } from '../../../../api';
+import { GetConfigurationValue, isSafeExternalUrl, LocalizeText, ReportType } from '../../../../api';
 import { NitroCardContentView, NitroCardHeaderView, NitroCardView } from '../../../../common';
 import { useFurnitureExternalImageWidget, useHelp } from '../../../../hooks';
 import { CameraWidgetShowPhotoView } from '../../../camera/views/CameraWidgetShowPhotoView';
@@ -15,10 +15,9 @@ export const FurnitureExternalImageView: FC<{}> = props =>
    const handleOpenFullPhoto = () =>
    {
        const photoUrl = currentPhotos[currentPhotoIndex].w.replace('_small.png', '.png');
-        if (photoUrl)
+        if (photoUrl && isSafeExternalUrl(photoUrl))
        {
-            console.log('Opened photo URL:', photoUrl);
-            window.open(photoUrl, '_blank');
+            window.open(photoUrl, '_blank', 'noopener,noreferrer');
        }
    };