Skip to content
This repository was archived by the owner on Feb 23, 2021. It is now read-only.

Commit f547032

Browse files
tanxtanx
committed
Add uri validation helper to mitigate XSS
1 parent 691b3b0 commit f547032

File tree

2 files changed

+45
-0
lines changed

2 files changed

+45
-0
lines changed

src/helper.js

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -180,6 +180,16 @@ export const reverse = src => {
180180
return buffer;
181181
};
182182

183+
/**
184+
* Basic uri validation before rendering. More thorough matching
185+
* is done by lnd. This is just to mitigates XSS.
186+
* @param {string} str The uri to validate
187+
* @return {boolean} If the uri is valid
188+
*/
189+
export const isValidUri = str => {
190+
return /^(lightning:|bitcoin:)[a-zA-Z0-9]*$/.test(str);
191+
};
192+
183193
/**
184194
* Check if the HTTP status code signals is successful
185195
* @param {Object} response The fetch api's response object

test/unit/helper.spec.js

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -508,6 +508,41 @@ describe('Helpers Unit Tests', () => {
508508
});
509509
});
510510

511+
describe('isValidUri()', () => {
512+
it('should accept bitcoin uri', () => {
513+
const uri = 'bitcoin:rfu4i1Mo2NF7TQsN9bMVLFSojSzcyQCEH5';
514+
expect(helpers.isValidUri(uri), 'to be', true);
515+
});
516+
517+
it('should accept lightning uri', () => {
518+
const uri =
519+
'lightning:lntb1500n1pdn2e0app5wlyxzspccpfvqmrtfr8p487xcch4hxtu2u0qzcke6mzpv222w8usdpa2fjkzep6ypxx2ap8wvs8qmrp0ysxzgrvd9nksarwd9hxwgrwv468wmmjdvsxwcqzysmr9jxv06zx53cyqa0sqntehy5tyrqu064xvw00qjep5f9gw57qcqp6qnpqyuprh90aqzfyf9ypq8uth7qte5ecjq0fng3y47mywwkfqq3megny';
520+
expect(helpers.isValidUri(uri), 'to be', true);
521+
});
522+
523+
it('should reject bitcoin address', () => {
524+
const uri = 'rfu4i1Mo2NF7TQsN9bMVLFSojSzcyQCEH5';
525+
expect(helpers.isValidUri(uri), 'to be', false);
526+
});
527+
528+
it('should reject lightning invoice', () => {
529+
const uri =
530+
'lntb1500n1pdn2e0app5wlyxzspccpfvqmrtfr8p487xcch4hxtu2u0qzcke6mzpv222w8usdpa2fjkzep6ypxx2ap8wvs8qmrp0ysxzgrvd9nksarwd9hxwgrwv468wmmjdvsxwcqzysmr9jxv06zx53cyqa0sqntehy5tyrqu064xvw00qjep5f9gw57qcqp6qnpqyuprh90aqzfyf9ypq8uth7qte5ecjq0fng3y47mywwkfqq3megny';
531+
expect(helpers.isValidUri(uri), 'to be', false);
532+
});
533+
534+
it('should reject invalid bitcoin uri', () => {
535+
const uri = 'bitcoin:/INVALID/rfu4i1Mo2NF7TQsN9bMVLFSojSzcyQCEH5';
536+
expect(helpers.isValidUri(uri), 'to be', false);
537+
});
538+
539+
it('should mitigate xss', () => {
540+
const uri =
541+
'bitcoin:rfu4i1Mo2NF7T<script>alert("XSS")</script>QsN9bMVLFSojSzcyQCEH5';
542+
expect(helpers.isValidUri(uri), 'to be', false);
543+
});
544+
});
545+
511546
describe('checkHttpStatus()', () => {
512547
it('should throw error for 500', () => {
513548
const response = { status: 500, statusText: 'Boom!' };

0 commit comments

Comments
 (0)