angular icon indicating copy to clipboard operation
angular copied to clipboard
verified publisher icon formio

[Question] formio sandbox - allowing MS Teams URI

Open Rolf-MP opened this issue 4 years ago • 0 comments

Hi,

I am trying to allow href to use the msteams protocol in the formio sandbox through the options json. This does not fly however.

{
  "display": "form",
  "components": [
    {
      "label": "HTML",
      "tag": "div",
      "attrs": [
        {
          "attr": "",
          "value": ""
        }
      ],
      "content": "<a href=\"msteams:/l/chat/0/[email protected]\">MS Teams link</a>",
      "refreshOnChange": false,
      "key": "html3",
      "type": "htmlelement",
      "input": false,
      "tableView": false
    }
  ]
}

When I add the below as a string in the options json

{
  "sanitizeConfig": {
    "allowedUriRegex" : "/^(?:(?:(?:f|ht)tps?|mailto|msteams|tel|callto|cid|xmpp|xxx):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i"
  }
}

It is not respected (testing the regexp to the msteams URI shows the regexp is fine). I presume because in the sanitize function the regex string is not converted to a regex object in the sanitize function in utils.js.

Suggestion: detect if the "allowedUriRegex" is a regex object and if not convert (an array) of strings to a regex object per jsref_regexp_constructor

From utils.js:

export function sanitize(string, options) {
  // Dompurify configuration
  const sanitizeOptions = {
    ADD_ATTR: ['ref', 'target'],
    USE_PROFILES: { html: true }
  };
  // Add attrs
  if (options.sanitizeConfig && Array.isArray(options.sanitizeConfig.addAttr) && options.sanitizeConfig.addAttr.length > 0) {
    options.sanitizeConfig.addAttr.forEach((attr) => {
      sanitizeOptions.ADD_ATTR.push(attr);
    });
  }
  // Add tags
  if (options.sanitizeConfig && Array.isArray(options.sanitizeConfig.addTags) && options.sanitizeConfig.addTags.length > 0) {
    sanitizeOptions.ADD_TAGS = options.sanitizeConfig.addTags;
  }
  // Allow tags
  if (options.sanitizeConfig && Array.isArray(options.sanitizeConfig.allowedTags) && options.sanitizeConfig.allowedTags.length > 0) {
    sanitizeOptions.ALLOWED_TAGS = options.sanitizeConfig.allowedTags;
  }
  // Allow attributes
  if (options.sanitizeConfig && Array.isArray(options.sanitizeConfig.allowedAttrs) && options.sanitizeConfig.allowedAttrs.length > 0) {
    sanitizeOptions.ALLOWED_ATTR = options.sanitizeConfig.allowedAttrs;
  }
  // Allowd URI Regex
  if (options.sanitizeConfig && options.sanitizeConfig.allowedUriRegex) {
    sanitizeOptions.ALLOWED_URI_REGEXP = options.sanitizeConfig.allowedUriRegex;
  }
  return dompurify.sanitize(string, sanitizeOptions);
}

Best! Rolf

Rolf-MP avatar Oct 06 '21 12:10 Rolf-MP