@backstage/core-components 0.12.4-next.1 → 0.12.4

package/CHANGELOG.md

@@ -1,5 +1,23 @@
 # @backstage/core-components
 
+## 0.12.4
+
+### Patch Changes
+
+- 68ce7d0417: Added aria labels on the support button and sidebar
+- 5637ebed92: Added a global override for `window.open` that helps prevent security vulnerabilities.
+- 910015f5b7: The Button component has been deprecated in favor of the LinkButton component
+- 20840b36b4: Adds new type, TableOptions, extending Material Table Options.
+- e81a6e0ab5: Updated Link URL validation to be more strict.
+- 85b04f659a: Internal refactor to not use deprecated `substr`
+- 66e2aab4c4: Navigation items in mobile sidebar now have aria label.
+- Updated dependencies
+  - @backstage/theme@0.2.17
+  - @backstage/core-plugin-api@1.4.0
+  - @backstage/config@1.0.6
+  - @backstage/errors@1.1.4
+  - @backstage/version-bridge@1.0.3
+
 ## 0.12.4-next.1
 
 ### Patch Changes

package/dist/index.esm.js

@@ -278,6 +278,24 @@ const useStyles$R = makeStyles(
   { name: "Link" }
 );
 const isExternalUri = (uri) => /^([a-z+.-]+):/.test(uri);
+const scriptProtocolPattern = (
+  // eslint-disable-next-line no-control-regex
+  /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i
+);
+const originalWindowOpen = window.open;
+if (originalWindowOpen && !originalWindowOpen.__backstage) {
+  const newOpen = function open(...args) {
+    const url = String(args[0]);
+    if (scriptProtocolPattern.test(url)) {
+      throw new Error(
+        "Rejected window.open() with a javascript: URL as a security precaution"
+      );
+    }
+    return originalWindowOpen.apply(this, args);
+  };
+  newOpen.__backstage = true;
+  window.open = newOpen;
+}
 const useBaseUrl = () => {
   try {
     const config = useApi(configApiRef);
@@ -324,6 +342,11 @@ const Link = React.forwardRef(
     const linkText = getNodeText(props.children) || to;
     const external = isExternalUri(to);
     const newWindow = external && !!/^https?:/.exec(to);
+    if (scriptProtocolPattern.test(to)) {
+      throw new Error(
+        "Link component rejected javascript: URL as a security precaution"
+      );
+    }
     const handleClick = (event) => {
       onClick == null ? void 0 : onClick(event);
       if (!noTrack) {
@@ -3336,14 +3359,15 @@ function SupportButton(props) {
       color: "primary",
       size: "small",
       onClick: onClickHandler,
-      "data-testid": "support-button"
+      "data-testid": "support-button",
+      "aria-label": "Support"
     },
     /* @__PURE__ */ React.createElement(HelpIcon, null)
   ) : /* @__PURE__ */ React.createElement(
     Button$1,
     {
       "data-testid": "support-button",
-      "aria-label": "support",
+      "aria-label": "Support",
       color: "primary",
       onClick: onClickHandler,
       startIcon: /* @__PURE__ */ React.createElement(HelpIcon, null)
@@ -3366,7 +3390,15 @@ function SupportButton(props) {
       onClose: popoverCloseHandler
     },
     /* @__PURE__ */ React.createElement(List, { className: classes.popoverList }, title && /* @__PURE__ */ React.createElement(ListItem, { alignItems: "flex-start" }, /* @__PURE__ */ React.createElement(Typography, { variant: "subtitle1" }, title)), React.Children.map(children, (child, i) => /* @__PURE__ */ React.createElement(ListItem, { alignItems: "flex-start", key: `child-${i}` }, child)), (items != null ? items : configItems).map((item, i) => /* @__PURE__ */ React.createElement(SupportListItem, { item, key: `item-${i}` }))),
-    /* @__PURE__ */ React.createElement(DialogActions, null, /* @__PURE__ */ React.createElement(Button$1, { color: "primary", onClick: popoverCloseHandler }, "Close"))
+    /* @__PURE__ */ React.createElement(DialogActions, null, /* @__PURE__ */ React.createElement(
+      Button$1,
+      {
+        color: "primary",
+        onClick: popoverCloseHandler,
+        "aria-label": "Close"
+      },
+      "Close"
+    ))
   ));
 }