fix: Avoid XSS in custom attributes (#7800)

2025-11-01 19:48:08 +00:00 · 2023-09-05 09:49:54 +05:30
parent e5f7807833
commit f31fc2b375
1 changed files with 4 additions and 1 deletions
--- a/app/javascript/dashboard/components/CustomAttribute.vue
+++ b/app/javascript/dashboard/components/CustomAttribute.vue
@@ -61,7 +61,7 @@
      >
        <a
          v-if="isAttributeTypeLink"
-          :href="value"
+          :href="hrefURL"
          target="_blank"
          rel="noopener noreferrer"
          class="value inline-block rounded-sm mb-0 break-all py-0.5 px-1"
@@ -188,6 +188,9 @@ export default {
    urlValue() {
      return isValidURL(this.value) ? this.value : '---';
    },
+    hrefURL() {
+      return isValidURL(this.value) ? this.value : '';
+    },
    notAttributeTypeCheckboxAndList() {
      return !this.isAttributeTypeCheckbox && !this.isAttributeTypeList;
    },