Skip to content

Commit d0aa27a

Browse files
authored
Merge pull request #1715 from plotly/ie-link-fix
add empty protocol to link whitelist for IE relative links
2 parents 3771863 + b5f5168 commit d0aa27a

File tree

1 file changed

+7
-1
lines changed

1 file changed

+7
-1
lines changed

src/lib/svg_text_utils.js

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -252,7 +252,13 @@ var TAG_CLOSE = {
252252
sub: '<tspan dy="-0.21em">&#x200b;</tspan>'
253253
};
254254

255-
var PROTOCOLS = ['http:', 'https:', 'mailto:'];
255+
/*
256+
* Whitelist of protocols in user-supplied urls. Mostly we want to avoid javascript
257+
* and related attack vectors. The empty items are there for IE, that in various
258+
* versions treats relative paths as having different flavors of no protocol, while
259+
* other browsers have these explicitly inherit the protocol of the page they're in.
260+
*/
261+
var PROTOCOLS = ['http:', 'https:', 'mailto:', '', undefined, ':'];
256262

257263
var STRIP_TAGS = new RegExp('</?(' + Object.keys(TAG_STYLES).join('|') + ')( [^>]*)?/?>', 'g');
258264

0 commit comments

Comments
 (0)