fix xss in generic iframe embed (#1419)

2026-05-18 23:44:24 +08:00 · 2025-07-29 19:28:48 +01:00
parent 78bce0e29d
commit 6b627d289c
5 changed files with 42 additions and 11 deletions
@@ -4,6 +4,7 @@ import { Selection, Transaction } from "@tiptap/pm/state";
 import { CellSelection, TableMap } from "@tiptap/pm/tables";
 import { Node, ResolvedPos } from "@tiptap/pm/model";
 import Table from "@tiptap/extension-table";
+import { sanitizeUrl as braintreeSanitizeUrl } from "@braintree/sanitize-url";

 export const isRectSelected = (rect: any) => (selection: CellSelection) => {
  const map = TableMap.get(selection.$anchorCell.node(-1));
@@ -379,3 +380,12 @@ export function setAttributes(
 export function icon(name: string) {
  return `<span class="ProseMirror-icon ProseMirror-icon-${name}"></span>`;
 }
+
+export function sanitizeUrl(url: string | undefined): string {
+  if (!url) return "";
+  
+  const sanitized = braintreeSanitizeUrl(url);
+  
+  // Return empty string instead of "about:blank"
+  return sanitized === "about:blank" ? "" : sanitized;
+}