From 7b0c3c3cd50a1cc9bae5fb721dd1679db2537920 Mon Sep 17 00:00:00 2001 From: Dirkjan Bussink Date: Thu, 3 Mar 2022 14:51:20 +0100 Subject: [PATCH] fix: update to latest version of sanitize-url There's been a bunch of security issues in the older versions of sanitize-url that this resolves. --- package.json | 2 +- src/diagrams/class/classDiagram.spec.js | 8 ++++---- src/utils.spec.js | 2 +- yarn.lock | 8 ++++---- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/package.json b/package.json index b05377c61..06eabc1b5 100644 --- a/package.json +++ b/package.json @@ -57,7 +57,7 @@ ] }, "dependencies": { - "@braintree/sanitize-url": "^3.1.0", + "@braintree/sanitize-url": "^6.0.0", "d3": "^7.0.0", "dagre": "^0.8.5", "dagre-d3": "^0.6.4", diff --git a/src/diagrams/class/classDiagram.spec.js b/src/diagrams/class/classDiagram.spec.js index ea23f0881..6b74c3583 100644 --- a/src/diagrams/class/classDiagram.spec.js +++ b/src/diagrams/class/classDiagram.spec.js @@ -746,7 +746,7 @@ foo() parser.parse(str); const testClass = parser.yy.getClass('Class1'); - expect(testClass.link).toBe('about:blank'); //('google.com'); security needs to be set to 'loose' for this to work right + expect(testClass.link).toBe('google.com'); expect(testClass.cssClasses.length).toBe(1); expect(testClass.cssClasses[0]).toBe('clickable'); }); @@ -760,7 +760,7 @@ foo() parser.parse(str); const testClass = parser.yy.getClass('Class1'); - expect(testClass.link).toBe('about:blank'); //('google.com'); security needs to be set to 'loose' for this to work right + expect(testClass.link).toBe('google.com'); expect(testClass.cssClasses.length).toBe(1); expect(testClass.cssClasses[0]).toBe('clickable'); }); @@ -774,7 +774,7 @@ foo() parser.parse(str); const testClass = parser.yy.getClass('Class1'); - expect(testClass.link).toBe('about:blank'); //('google.com'); security needs to be set to 'loose' for this to work right + expect(testClass.link).toBe('google.com'); expect(testClass.tooltip).toBe('A tooltip'); expect(testClass.cssClasses.length).toBe(1); expect(testClass.cssClasses[0]).toBe('clickable'); @@ -789,7 +789,7 @@ foo() parser.parse(str); const testClass = parser.yy.getClass('Class1'); - expect(testClass.link).toBe('about:blank'); //('google.com'); security needs to be set to 'loose' for this to work right + expect(testClass.link).toBe('google.com'); expect(testClass.tooltip).toBe('A tooltip'); expect(testClass.cssClasses.length).toBe(1); expect(testClass.cssClasses[0]).toBe('clickable'); diff --git a/src/utils.spec.js b/src/utils.spec.js index b37c9af6d..bd35f5ccc 100644 --- a/src/utils.spec.js +++ b/src/utils.spec.js @@ -250,7 +250,7 @@ describe('when formatting urls', function () { config.securityLevel = 'strict'; result = utils.formatUrl(url, config); - expect(result).toEqual('about:blank'); + expect(result).toEqual(url); }); it('should handle mailto', function () { const url = 'mailto:user@user.user'; diff --git a/yarn.lock b/yarn.lock index 2b48f1411..3d7dc08ac 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1275,10 +1275,10 @@ resolved "https://registry.yarnpkg.com/@bcoe/v8-coverage/-/v8-coverage-0.2.3.tgz#75a2e8b51cb758a7553d6804a5932d7aace75c39" integrity sha512-0hYQ8SB4Db5zvZB4axdMHGwEaQjkZzFjQiN9LVYvIFB2nSUHW9tYpxWriPrWDASIxiaXax83REcLxuSdnGPZtw== -"@braintree/sanitize-url@^3.1.0": - version "3.1.0" - resolved "https://registry.yarnpkg.com/@braintree/sanitize-url/-/sanitize-url-3.1.0.tgz#8ff71d51053cd5ee4981e5a501d80a536244f7fd" - integrity sha512-GcIY79elgB+azP74j8vqkiXz8xLFfIzbQJdlwOPisgbKT00tviJQuEghOXSMVxJ00HoYJbGswr4kcllUc4xCcg== +"@braintree/sanitize-url@^6.0.0": + version "6.0.0" + resolved "https://registry.yarnpkg.com/@braintree/sanitize-url/-/sanitize-url-6.0.0.tgz#fe364f025ba74f6de6c837a84ef44bdb1d61e68f" + integrity sha512-mgmE7XBYY/21erpzhexk4Cj1cyTQ9LzvnTxtzM17BJ7ERMNE6W72mQRo0I1Ud8eFJ+RVVIcBNhLFZ3GX4XFz5w== "@commitlint/cli@^16.0.0": version "16.2.1"