Extend protection against potential XSS vulnerability

Description

See SI-12 for original issue and steps to reproduce.

Extend URL validation introduced in SI-12 that prevents execution of malicious URLs to prevent saving potentially malicious URL strings.

Scope:

Context: Create or edit dashboard widgets with URL fields
Applies to: URL links defined with a protocol identifier
Does not apply to: URL link strings defined without a protocol identifier

Related Prior Work:

https://github.com/folio-org/ui-dashboard/pull/224

Acceptance Criteria:

Given a string is entered in the URL link field of a dashboard widget
When a user attempts to save the widget
- And the string is prefixed with a protocol identifier other than `https` or `http`
Then do not save the record
- And return the user to the widget edit/create screen
- And highlight the invalid field with
  - error styling
  - error message: "Please enter a valid URL (starts with \"https://\", \"http://\" or \"/\" and doesn't contain special characters not allowed in URLs)"

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Attachments

Linked issues

improves

SI-12

Potential CROSS SITE SCRIPTING (XSS) vulnerability

relates to

SI-23

URL validation in simple search widget is too strict

Checklist

hide

TestRail: Results

Activity

Show:

Done

Details

Assignee

Owen Stephens

Reporter

Hongwei Ji

Labels

dashboard

Priority

TBD

Sprint

None

Development Team

Bienenvolk

Release

Poppy (R2 2023)

RCA Group

TBD

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs

Created March 30, 2023 at 2:10 PM

Updated June 12, 2023 at 7:57 AM

Resolved April 20, 2023 at 9:25 AM

Configure

TestRail: Cases

TestRail: Runs