Removes support for passing values with a javascript: scheme to `Sa…

…feUrl.fromConstant` These urls are incompatible with strict CSP and can thus cause production breakages. RELNOTES: n/a PiperOrigin-RevId: 563074952 Change-Id: I8bba86f22c57bd8f8c6a6bbb7d2dade132f296c4
google · Sep 6, 2023 · 1e1e2c1 · 1e1e2c1
1 parent b54d5fa
commit 1e1e2c1
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/closure/goog/html/safeurl.js b/closure/goog/html/safeurl.js
@@ -197,8 +197,11 @@ goog.html.SafeUrl.unwrap = function(safeUrl) {
  */
 goog.html.SafeUrl.fromConstant = function(url) {
   'use strict';
-  return goog.html.SafeUrl.createSafeUrlSecurityPrivateDoNotAccessOrElse(
-      goog.string.Const.unwrap(url));
+  const str = goog.string.Const.unwrap(url);
+  if (goog.DEBUG && goog.html.SafeUrl.extractScheme(str) === 'javascript:') {
+    throw Error('Building a SafeUrl with a javascript scheme is not supported');
+  }
+  return goog.html.SafeUrl.createSafeUrlSecurityPrivateDoNotAccessOrElse(str);
 };
 
 

diff --git a/closure/goog/html/safeurl_test.js b/closure/goog/html/safeurl_test.js
@@ -60,6 +60,10 @@ testSuite({
         () => new (/** @type {?} */ (SafeUrl.ABOUT_BLANK)).constructor(''));
   },
 
+  testFromConstant_throwsOnJavaScriptUrl() {
+    assertThrows(() => SafeUrl.fromConstant(Const.from('javascript:foo')));
+  },
+
   testSafeUrl() {
     const safeUrl = SafeUrl.fromConstant(Const.from('#'));
     const extracted = SafeUrl.unwrap(safeUrl);