UNPKG

@gitlab/ui

Version:

GitLab UI Components

gitlab.com/gitlab-org/gitlab-ui

42 lines (29 loc) 1.11 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# Safe Link Directive A Vue directive to make the hyperlinks secure by default. <!-- STORY --> ## Usage It can be used to prevent the following security concerns related to hyperlinks: 1. [Target="\_blank" Vulnerability](https://web.dev/external-anchors-use-rel-noopener/) The directive makes sure all the external urls have `noopener noreferrer` rel attributes. It also preserves the existing `rel` attribute values. 2. [URL Injection](https://vuejs.org/v2/guide/security.html#Injecting-URLs) Hyperlinks are vulnerable to `javascript://` based Cross-site scripting vulnerabilty. A simple vulnerable code would look like ```html <a href="javascript:alert(document.domain)">click me</a> ``` The directive makes sure all such XSS payloads are sanitized by replacing them with `about:blank`. ```html <script> import { GlSafeLinkDirective as SafeLink } from '@gitlab/ui'; export default { data() { return { url: 'javascript:alert(1)', }; }, directives: { SafeLink }, }; </script> <template> <a v-safe-link href="url" target="_blank">Click</a> </template> ```