- Issue created by @leymannx
- Merge request !90Issue #3523896: Replaced invalid URL data-href with '#'. โ (Open) created by chhavi.sharma
- ๐ฎ๐ณIndia chhavi.sharma
Checked the URL and replaced with # if not the valid URL. The issue needs review.
- ๐ฉ๐ชGermany jan kellermann
This solution does not allow relative URLs such as
/video/external/youtube. Does this work for you, @norman.lol? - leymannx Berlin
Thank you for your contribution @chhavi ๐ค but @jan is right: We need to take both absolute and relative URLs into account.
- leymannx Berlin
Maybe we could check first, if the string starts with a
/character and if yes, temporarily prefix it withhttps://www.example.comto still be able to use this nice and clean URL method of the current MR. ๐ค - leymannx Berlin
Ah, you can simply pass
context.location.originto the URL constructor, to make it also work for relative or even protocol-relative URLs like//example.com/foobar, see https://developer.mozilla.org/en-US/docs/Web/API/URL/URL.But there's another problem:
data-href="javascript:alert()"is recognised as a valid URL. And this is exactly what we want to avoid. - ๐ฉ๐ชGermany jan kellermann
Yes, Norman, as you suggested, we should check the protocol:
url.protocol === 'http:' || url.protocol === 'https:' - ๐ฎ๐ณIndia chhavi.sharma
@norman.lol @jan Did the sugested changes to support relative URLs. Please review.
- ๐ฉ๐ชGermany sascha_meissner Planet earth
IMHO it doesnt realy make sense to to add contextual consent for outgoing links, for OPยดs example
<a data-name="chatbot" data-href="https://example.com/live-chat-url"> Chat with Support </a>Consent would have to be obtained on example.com, as clicking a link will not load something into the current page/host.
For relative links on the same host it doesnt really make sense to me either.
+ in the klaro-js upstream lib it was more or less a bug that anchor tags are also handled
But maybe i am overseeing something here.