@gitlab/ui 42.11.0 → 42.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/CHANGELOG.md +7 -0
  2. package/dist/directives/safe_html/safe_html.js +1 -0
  3. package/package.json +1 -1
  4. package/src/directives/safe_html/safe_html.js +5 -1
  5. package/src/directives/safe_html/safe_html.spec.js +27 -0
package/CHANGELOG.md CHANGED
@@ -1,3 +1,10 @@
1
+ # [42.12.0](https://gitlab.com/gitlab-org/gitlab-ui/compare/v42.11.0...v42.12.0) (2022-06-30)
2
+
3
+
4
+ ### Features
5
+
6
+ * **SafeHtml:** allow non-http links in urls ([ef995ed](https://gitlab.com/gitlab-org/gitlab-ui/commit/ef995edbaeecccd8d4c6a457d1c0cf9a9a350245))
7
+
1
8
  # [42.11.0](https://gitlab.com/gitlab-org/gitlab-ui/compare/v42.10.1...v42.11.0) (2022-06-29)
2
9
 
3
10
 
package/dist/directives/safe_html/safe_html.js CHANGED
@@ -8,6 +8,7 @@ import { forbiddenDataAttrs } from './constants';
8
8
 
9
9
  const DEFAULT_CONFIG = {
10
10
  RETURN_DOM_FRAGMENT: true,
11
+ ALLOW_UNKNOWN_PROTOCOLS: true,
11
12
  FORBID_ATTR: [...forbiddenDataAttrs]
12
13
  };
13
14
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@gitlab/ui",
3
- "version": "42.11.0",
3
+ "version": "42.12.0",
4
4
  "description": "GitLab UI Components",
5
5
  "license": "MIT",
6
6
  "main": "dist/index.js",
package/src/directives/safe_html/safe_html.js CHANGED
@@ -6,7 +6,11 @@ import { forbiddenDataAttrs } from './constants';
6
6
  // See https://gitlab.com/gitlab-org/gitlab-ui/-/merge_requests/1782
7
7
  // and https://gitlab.com/gitlab-org/gitlab-ui/-/merge_requests/2127
8
8
  // for more details.
9
- const DEFAULT_CONFIG = { RETURN_DOM_FRAGMENT: true, FORBID_ATTR: [...forbiddenDataAttrs] };
9
+ const DEFAULT_CONFIG = {
10
+ RETURN_DOM_FRAGMENT: true,
11
+ ALLOW_UNKNOWN_PROTOCOLS: true,
12
+ FORBID_ATTR: [...forbiddenDataAttrs],
13
+ };
10
14
 
11
15
  const transform = (el, binding) => {
12
16
  if (binding.oldValue !== binding.value) {
package/src/directives/safe_html/safe_html.spec.js CHANGED
@@ -2,6 +2,17 @@ import { shallowMount } from '@vue/test-utils';
2
2
  import { forbiddenDataAttrs } from './constants';
3
3
  import { SafeHtmlDirective as safeHtml } from './safe_html';
4
4
 
5
+ /* eslint-disable no-script-url */
6
+ const invalidProtocolUrls = [
7
+ 'javascript:alert(1)',
8
+ 'jAvascript:alert(1)',
9
+ 'data:text/html,<script>alert(1);</script>',
10
+ ' javascript:',
11
+ 'javascript :',
12
+ ];
13
+ /* eslint-enable no-script-url */
14
+ const validProtocolUrls = ['slack://open', 'x-devonthink-item://90909', 'x-devonthink-item:90909'];
15
+
5
16
  describe('safe html directive', () => {
6
17
  let wrapper;
7
18
 
@@ -46,6 +57,22 @@ describe('safe html directive', () => {
46
57
  expect(wrapper.html()).toEqual('<div>hello world</div>');
47
58
  });
48
59
 
60
+ describe('with non-http links', () => {
61
+ it.each(validProtocolUrls)('should allow %s', (url) => {
62
+ createComponent({
63
+ html: `<a href="${url}">internal link</a>`,
64
+ });
65
+ expect(wrapper.html()).toContain(`<a href="${url}">internal link</a>`);
66
+ });
67
+
68
+ it.each(invalidProtocolUrls)('should not allow %s', (url) => {
69
+ createComponent({
70
+ html: `<a href="${url}">internal link</a>`,
71
+ });
72
+ expect(wrapper.html()).toContain(`<a>internal link</a>`);
73
+ });
74
+ });
75
+
49
76
  describe('handles data attributes correctly', () => {
50
77
  const acceptedDataAttrs = ['data-safe', 'data-random'];
51
78