chore: fix some security issues in markdown (#20639)

2025-12-25 01:00:42 -05:00 · 2025-06-04 15:56:29 +08:00
parent 006496f24e
commit d22c351221
3 changed files with 13 additions and 13 deletions
--- a/web/app/components/base/markdown-blocks/button.tsx
+++ b/web/app/components/base/markdown-blocks/button.tsx
@@ -1,7 +1,7 @@
 import { useChatContext } from '@/app/components/base/chat/chat/context'
 import Button from '@/app/components/base/button'
 import cn from '@/utils/classnames'
-
+import { isValidUrl } from './utils'
 const MarkdownButton = ({ node }: any) => {
  const { onSend } = useChatContext()
  const variant = node.properties.dataVariant
@@ -9,25 +9,17 @@ const MarkdownButton = ({ node }: any) => {
  const link = node.properties.dataLink
  const size = node.properties.dataSize

-  function is_valid_url(url: string): boolean {
-    try {
-      const parsed_url = new URL(url)
-      return ['http:', 'https:'].includes(parsed_url.protocol)
-    }
-    catch {
-      return false
-    }
-  }
-
  return <Button
    variant={variant}
    size={size}
    className={cn('!h-auto min-h-8 select-none whitespace-normal !px-3')}
    onClick={() => {
-      if (is_valid_url(link)) {
+      if (isValidUrl(link)) {
        window.open(link, '_blank')
        return
      }
+      if(!message)
+        return
      onSend?.(message)
    }}
  >