Headline
CVE-2023-26140: fix: stronger enforcement of normalizeLink (#6728) · excalidraw/excalidraw@b33fa6d
Versions of the package @excalidraw/excalidraw from 0.0.0 are vulnerable to Cross-site Scripting (XSS) via embedded links in whiteboard objects due to improper input sanitization.
Expand Up
@@ -29,6 +29,7 @@ import { getTooltipDiv, updateTooltipPosition } from "…/components/Tooltip";
import { getSelectedElements } from "…/scene";
import { isPointHittingElementBoundingBox } from "./collision";
import { getElementAbsoluteCoords } from "./";
import { isLocalLink, normalizeLink } from "…/data/url";
import "./Hyperlink.scss";
import { trackEvent } from "…/analytics";
Expand Down Expand Up
@@ -166,7 +167,7 @@ export const Hyperlink = ({
/>
) : (
<a
href={element.link || ""}
href={normalizeLink(element.link || “”)}
className={clsx("excalidraw-hyperlinkContainer-link", {
"d-none": isEditing,
})}
Expand All
@@ -177,7 +178,13 @@ export const Hyperlink = ({
EVENT.EXCALIDRAW_LINK,
event.nativeEvent,
);
onLinkOpen(element, customEvent);
onLinkOpen(
{
…element,
link: normalizeLink(element.link),
},
customEvent,
);
if (customEvent.defaultPrevented) {
event.preventDefault();
}
Expand Down Expand Up
@@ -231,21 +238,6 @@ const getCoordsForPopover = (
return { x, y };
};
export const normalizeLink = (link: string) => {
link = link.trim();
if (link) {
// prefix with protocol if not fully-qualified
if (!link.includes(“://”) && !/^[[\\/]/.test(link)) {
link = `https://${link}`;
}
}
return link;
};
export const isLocalLink = (link: string | null) => {
return !!(link?.includes(location.origin) || link?.startsWith(“/”));
};
export const actionLink = register({
name: "hyperlink",
perform: (elements, appState) => {
Expand Down
Related news
### Impact XSS vulnerability due to improperly sanitizing URLs of links that can be attached on canvas elements. This affects users of the npm package `@excalidraw/excalidraw` provided it was deployed in environments where untrusted user input in drawings that are then shared with third parties is a concern. If you only hosted the editor in trusted environments, or sharing didn't take place, the impact is minimized. ### Patches Patch is available on version 0.15.3 and up (stable), or latest `@excalidraw/excalidraw@next` (unstable releases). ### Workarounds No workaround without upgrading unless deployed in environments without untrusted user input. ### References https://security.snyk.io/vuln/SNYK-JS-EXCALIDRAWEXCALIDRAW-5841658 https://github.com/excalidraw/excalidraw/pull/6728