updated isSafeUrl function to fix network related attacks

change/@fluentui-react-charting-355a59ec-794a-4da2-93a6-ea28e5c1c204.json

@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "safeurl related bug fix",
+  "packageName": "@fluentui/react-charting",
+  "email": "132879294+v-baambati@users.noreply.github.com",
+  "dependentChangeType": "patch"
+}

change/@fluentui-react-charts-eede23c0-c45d-4f45-9a22-a7a9334860bb.json

@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "safeurl related bug fix",
+  "packageName": "@fluentui/react-charts",
+  "email": "132879294+v-baambati@users.noreply.github.com",
+  "dependentChangeType": "patch"
+}

packages/charts/react-charting/src/utilities/UtilityUnitTests.test.ts

@@ -1523,6 +1523,10 @@ describe('isSafeUrl', () => {
     expect(utils.isSafeUrl('https://example.com')).toBe(true);
   });
 
+  test('Should allow https URL with leading whitespace', () => {
+    expect(utils.isSafeUrl('  https://example.com')).toBe(true);
+  });
+
   test('Should allow https URL with path, query, and fragment', () => {
     expect(utils.isSafeUrl('https://example.com/path?q=1#section')).toBe(true);
   });
@@ -1552,6 +1556,26 @@ describe('isSafeUrl', () => {
     expect(utils.isSafeUrl('javascript:alert(1)')).toBe(false);
   });
 
+  test('Should block javascript: protocol with leading whitespace', () => {
+    // eslint-disable-next-line no-script-url
+    expect(utils.isSafeUrl(' javascript:alert(1)')).toBe(false);
+  });
+
+  test('Should block javascript: protocol with leading tabs/newlines', () => {
+    // eslint-disable-next-line no-script-url
+    expect(utils.isSafeUrl('\n\tjavascript:alert(1)')).toBe(false);
+  });
+
+  test('Should block javascript: protocol with embedded newline in scheme', () => {
+    // eslint-disable-next-line no-script-url
+    expect(utils.isSafeUrl('java\nscript:alert(1)')).toBe(false);
+  });
+
+  test('Should block javascript: protocol with embedded tab in scheme', () => {
+    // eslint-disable-next-line no-script-url
+    expect(utils.isSafeUrl('java\tscript:alert(1)')).toBe(false);
+  });
+
   test('Should block data: protocol', () => {
     expect(utils.isSafeUrl('data:text/html,<script>alert(1)</script>')).toBe(false);
   });
@@ -1580,6 +1604,10 @@ describe('isSafeUrl', () => {
     expect(utils.isSafeUrl('custom:payload')).toBe(false);
   });
 
+  test('Should block custom: protocol with leading whitespace', () => {
+    expect(utils.isSafeUrl(' custom:payload')).toBe(false);
+  });
+
   test('Should allow a path that contains a colon but is not a scheme', () => {
     expect(utils.isSafeUrl('/path/to:resource')).toBe(true);
   });

packages/charts/react-charting/src/utilities/utilities.ts

@@ -2556,9 +2556,32 @@ const truncateTextToFitWidth = (text: string, maxWidth: number, measure: (s: str
 };
 
 export function isSafeUrl(href: string): boolean {
-  if (/^[a-z][a-z0-9+.-]*:/i.test(href)) {
-    return /^(https?|mailto|tel|ftp):/i.test(href);
+  const normalizedHref = href.trim();
+
+  if (!normalizedHref) {
+    return true;
   }
 
-  return true;
+  // Browsers normalize control characters and whitespace in URLs, so sanitize them
+  // before scheme detection to avoid bypasses such as "java\nscript:".
+  const normalizedHrefForSchemeCheck = normalizedHref.replace(/[\u0000-\u001F\u007F\s]+/g, '');
+
+  if (!normalizedHrefForSchemeCheck) {
+    return true;
+  }
+
+  // Detect an explicit URI scheme only when ':' appears before '/', '?', or '#'.
+  const firstPathOrQueryOrFragmentIndex = normalizedHrefForSchemeCheck.search(/[/?#]/);
+  const colonIndex = normalizedHrefForSchemeCheck.indexOf(':');
+  const hasExplicitScheme =
+    colonIndex > 0 &&
+    (firstPathOrQueryOrFragmentIndex === -1 || colonIndex < firstPathOrQueryOrFragmentIndex) &&
+    /^[a-z][a-z0-9+.-]*$/i.test(normalizedHrefForSchemeCheck.slice(0, colonIndex));
+
+  if (!hasExplicitScheme) {
+    return true;
+  }
+
+  const scheme = normalizedHrefForSchemeCheck.slice(0, colonIndex).toLowerCase();
+  return scheme === 'http' || scheme === 'https' || scheme === 'mailto' || scheme === 'tel' || scheme === 'ftp';
 }

packages/charts/react-charts/library/src/utilities/UtilityUnitTests.test.ts

@@ -1528,6 +1528,10 @@ describe('isSafeUrl', () => {
     expect(utils.isSafeUrl('https://example.com')).toBe(true);
   });
 
+  test('Should allow https URL with leading whitespace', () => {
+    expect(utils.isSafeUrl('  https://example.com')).toBe(true);
+  });
+
   test('Should allow https URL with path, query, and fragment', () => {
     expect(utils.isSafeUrl('https://example.com/path?q=1#section')).toBe(true);
   });
@@ -1557,6 +1561,26 @@ describe('isSafeUrl', () => {
     expect(utils.isSafeUrl('javascript:alert(1)')).toBe(false);
   });
 
+  test('Should block javascript: protocol with leading whitespace', () => {
+    // eslint-disable-next-line no-script-url
+    expect(utils.isSafeUrl(' javascript:alert(1)')).toBe(false);
+  });
+
+  test('Should block javascript: protocol with leading tabs/newlines', () => {
+    // eslint-disable-next-line no-script-url
+    expect(utils.isSafeUrl('\n\tjavascript:alert(1)')).toBe(false);
+  });
+
+  test('Should block javascript: protocol with embedded newline in scheme', () => {
+    // eslint-disable-next-line no-script-url
+    expect(utils.isSafeUrl('java\nscript:alert(1)')).toBe(false);
+  });
+
+  test('Should block javascript: protocol with embedded tab in scheme', () => {
+    // eslint-disable-next-line no-script-url
+    expect(utils.isSafeUrl('java\tscript:alert(1)')).toBe(false);
+  });
+
   test('Should block data: protocol', () => {
     expect(utils.isSafeUrl('data:text/html,<script>alert(1)</script>')).toBe(false);
   });
@@ -1585,6 +1609,10 @@ describe('isSafeUrl', () => {
     expect(utils.isSafeUrl('custom:payload')).toBe(false);
   });
 
+  test('Should block custom: protocol with leading whitespace', () => {
+    expect(utils.isSafeUrl(' custom:payload')).toBe(false);
+  });
+
   test('Should allow a path that contains a colon but is not a scheme', () => {
     expect(utils.isSafeUrl('/path/to:resource')).toBe(true);
   });

packages/charts/react-charts/library/src/utilities/utilities.ts

@@ -2716,8 +2716,32 @@ const truncateTextToFitWidth = (text: string, maxWidth: number, measure: (s: str
 };
 
 export function isSafeUrl(href: string): boolean {
-  if (/^[a-z][a-z0-9+.-]*:/i.test(href)) {
-    return /^(https?|mailto|tel|ftp):/i.test(href);
+  const normalizedHref = href.trim();
+
+  if (!normalizedHref) {
+    return true;
   }
-  return true;
+
+  // Browsers normalize control characters and whitespace in URLs, so sanitize them
+  // before scheme detection to avoid bypasses such as "java\nscript:".
+  const normalizedHrefForSchemeCheck = normalizedHref.replace(/[\u0000-\u001F\u007F\s]+/g, '');
+
+  if (!normalizedHrefForSchemeCheck) {
+    return true;
+  }
+
+  // Detect an explicit URI scheme only when ':' appears before '/', '?', or '#'.
+  const firstPathOrQueryOrFragmentIndex = normalizedHrefForSchemeCheck.search(/[/?#]/);
+  const colonIndex = normalizedHrefForSchemeCheck.indexOf(':');
+  const hasExplicitScheme =
+    colonIndex > 0 &&
+    (firstPathOrQueryOrFragmentIndex === -1 || colonIndex < firstPathOrQueryOrFragmentIndex) &&
+    /^[a-z][a-z0-9+.-]*$/i.test(normalizedHrefForSchemeCheck.slice(0, colonIndex));
+
+  if (!hasExplicitScheme) {
+    return true;
+  }
+
+  const scheme = normalizedHrefForSchemeCheck.slice(0, colonIndex).toLowerCase();
+  return scheme === 'http' || scheme === 'https' || scheme === 'mailto' || scheme === 'tel' || scheme === 'ftp';
 }