Skip to content

updated isSafeUrl function to fix network related attacks #36121

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
AtishayMsft merged 6 commits into from
May 13, 2026
Merged

updated isSafeUrl function to fix network related attacks #36121

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
2287ac1
updated isSafeUrl function to fix network related attacks
v-baambati May 8, 2026
23b312a
added chnage files
v-baambati May 8, 2026
4a068e3
Merge branch 'master' of https://github.com/microsoft/fluentui into S…
v-baambati May 13, 2026
2eef67f
Merge branch 'master' of https://github.com/microsoft/fluentui into S…
v-baambati May 13, 2026
b408298
updated logic
v-baambati May 13, 2026
e1468c8
Added new test cases to safe url functaion validation
v-baambati May 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions change/@fluentui-react-charting-355a59ec-794a-4da2-93a6-ea28e5c1c204.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"type": "patch",
"comment": "safeurl related bug fix",
"packageName": "@fluentui/react-charting",
"email": "132879294+v-baambati@users.noreply.github.com",
"dependentChangeType": "patch"
}
7 changes: 7 additions & 0 deletions change/@fluentui-react-charts-eede23c0-c45d-4f45-9a22-a7a9334860bb.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"type": "patch",
"comment": "safeurl related bug fix",
"packageName": "@fluentui/react-charts",
"email": "132879294+v-baambati@users.noreply.github.com",
"dependentChangeType": "patch"
}
47 changes: 47 additions & 0 deletions packages/charts/react-charting/src/utilities/UtilityUnitTests.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1523,6 +1523,10 @@ describe('isSafeUrl', () => {
expect(utils.isSafeUrl('https://example.com')).toBe(true);
});

test('Should allow https URL with leading whitespace', () => {
expect(utils.isSafeUrl(' https://example.com')).toBe(true);
});

test('Should allow https URL with path, query, and fragment', () => {
expect(utils.isSafeUrl('https://example.com/path?q=1#section')).toBe(true);
});
Expand Down Expand Up @@ -1552,6 +1556,26 @@ describe('isSafeUrl', () => {
expect(utils.isSafeUrl('javascript:alert(1)')).toBe(false);
});

test('Should block javascript: protocol with leading whitespace', () => {
// eslint-disable-next-line no-script-url
expect(utils.isSafeUrl(' javascript:alert(1)')).toBe(false);
});

test('Should block javascript: protocol with leading tabs/newlines', () => {
// eslint-disable-next-line no-script-url
expect(utils.isSafeUrl('\n\tjavascript:alert(1)')).toBe(false);
});

test('Should block javascript: protocol with embedded newline in scheme', () => {
// eslint-disable-next-line no-script-url
expect(utils.isSafeUrl('java\nscript:alert(1)')).toBe(false);
});

test('Should block javascript: protocol with embedded tab in scheme', () => {
// eslint-disable-next-line no-script-url
expect(utils.isSafeUrl('java\tscript:alert(1)')).toBe(false);
});

test('Should block data: protocol', () => {
expect(utils.isSafeUrl('data:text/html,<script>alert(1)</script>')).toBe(false);
});
Expand All @@ -1560,6 +1584,25 @@ describe('isSafeUrl', () => {
expect(utils.isSafeUrl('vbscript:msgbox("xss")')).toBe(false);
});

test('Should block vbscript:alert(1)', () => {
expect(utils.isSafeUrl('vbscript:alert(1)')).toBe(false);
});

test('Should block javascript: protocol with null byte prefix', () => {
// eslint-disable-next-line no-script-url
expect(utils.isSafeUrl('\0javascript:alert(1)')).toBe(false);
});

test('Should block mixed-case javascript: protocol with embedded newline', () => {
// eslint-disable-next-line no-script-url
expect(utils.isSafeUrl('JaVa\nScRiPt:alert(1)')).toBe(false);
});

test('Should block javascript: protocol with CRLF prefix', () => {
// eslint-disable-next-line no-script-url
expect(utils.isSafeUrl('\r\njavascript:alert(1)')).toBe(false);
});

test('Should block file: protocol', () => {
expect(utils.isSafeUrl('file:///etc/passwd')).toBe(false);
});
Expand All @@ -1580,6 +1623,10 @@ describe('isSafeUrl', () => {
expect(utils.isSafeUrl('custom:payload')).toBe(false);
});

test('Should block custom: protocol with leading whitespace', () => {
expect(utils.isSafeUrl(' custom:payload')).toBe(false);
});

test('Should allow a path that contains a colon but is not a scheme', () => {
expect(utils.isSafeUrl('/path/to:resource')).toBe(true);
});
Expand Down
6 changes: 3 additions & 3 deletions packages/charts/react-charting/src/utilities/utilities.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2556,9 +2556,9 @@ const truncateTextToFitWidth = (text: string, maxWidth: number, measure: (s: str
};

export function isSafeUrl(href: string): boolean {
if (/^[a-z][a-z0-9+.-]*:/i.test(href)) {
return /^(https?|mailto|tel|ftp):/i.test(href);
const normalized = href.replace(/[\u0000-\u001F\u007F\s]+/g, '');
if (/^[a-z][a-z0-9+.-]*:/i.test(normalized)) {
return /^(https?|mailto|tel|ftp):/i.test(normalized);
}

return true;
}
47 changes: 47 additions & 0 deletions packages/charts/react-charts/library/src/utilities/UtilityUnitTests.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1528,6 +1528,10 @@ describe('isSafeUrl', () => {
expect(utils.isSafeUrl('https://example.com')).toBe(true);
});

test('Should allow https URL with leading whitespace', () => {
expect(utils.isSafeUrl(' https://example.com')).toBe(true);
});

test('Should allow https URL with path, query, and fragment', () => {
expect(utils.isSafeUrl('https://example.com/path?q=1#section')).toBe(true);
});
Expand Down Expand Up @@ -1557,6 +1561,26 @@ describe('isSafeUrl', () => {
expect(utils.isSafeUrl('javascript:alert(1)')).toBe(false);
});

test('Should block javascript: protocol with leading whitespace', () => {
// eslint-disable-next-line no-script-url
expect(utils.isSafeUrl(' javascript:alert(1)')).toBe(false);
});

test('Should block javascript: protocol with leading tabs/newlines', () => {
// eslint-disable-next-line no-script-url
expect(utils.isSafeUrl('\n\tjavascript:alert(1)')).toBe(false);
});

test('Should block javascript: protocol with embedded newline in scheme', () => {
// eslint-disable-next-line no-script-url
expect(utils.isSafeUrl('java\nscript:alert(1)')).toBe(false);
});

test('Should block javascript: protocol with embedded tab in scheme', () => {
// eslint-disable-next-line no-script-url
expect(utils.isSafeUrl('java\tscript:alert(1)')).toBe(false);
Comment thread
v-baambati marked this conversation as resolved.
});

test('Should block data: protocol', () => {
expect(utils.isSafeUrl('data:text/html,<script>alert(1)</script>')).toBe(false);
});
Expand All @@ -1565,6 +1589,25 @@ describe('isSafeUrl', () => {
expect(utils.isSafeUrl('vbscript:msgbox("xss")')).toBe(false);
});

test('Should block vbscript:alert(1)', () => {
expect(utils.isSafeUrl('vbscript:alert(1)')).toBe(false);
});

test('Should block javascript: protocol with null byte prefix', () => {
// eslint-disable-next-line no-script-url
expect(utils.isSafeUrl('\0javascript:alert(1)')).toBe(false);
});

test('Should block mixed-case javascript: protocol with embedded newline', () => {
// eslint-disable-next-line no-script-url
expect(utils.isSafeUrl('JaVa\nScRiPt:alert(1)')).toBe(false);
});

test('Should block javascript: protocol with CRLF prefix', () => {
// eslint-disable-next-line no-script-url
expect(utils.isSafeUrl('\r\njavascript:alert(1)')).toBe(false);
});

test('Should block file: protocol', () => {
expect(utils.isSafeUrl('file:///etc/passwd')).toBe(false);
});
Expand All @@ -1585,6 +1628,10 @@ describe('isSafeUrl', () => {
expect(utils.isSafeUrl('custom:payload')).toBe(false);
});

test('Should block custom: protocol with leading whitespace', () => {
expect(utils.isSafeUrl(' custom:payload')).toBe(false);
});

test('Should allow a path that contains a colon but is not a scheme', () => {
expect(utils.isSafeUrl('/path/to:resource')).toBe(true);
});
Expand Down
5 changes: 3 additions & 2 deletions packages/charts/react-charts/library/src/utilities/utilities.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2716,8 +2716,9 @@ const truncateTextToFitWidth = (text: string, maxWidth: number, measure: (s: str
};

export function isSafeUrl(href: string): boolean {
if (/^[a-z][a-z0-9+.-]*:/i.test(href)) {
return /^(https?|mailto|tel|ftp):/i.test(href);
const normalized = href.replace(/[\u0000-\u001F\u007F\s]+/g, '');
if (/^[a-z][a-z0-9+.-]*:/i.test(normalized)) {
return /^(https?|mailto|tel|ftp):/i.test(normalized);
}
return true;
}
Loading