From 5b1f79fe8e667dc7f613f4ee8c832b77cd3347f4 Mon Sep 17 00:00:00 2001
From: Gaspard Rivoire <36168128+GaspardRivoire@users.noreply.github.com>
Date: Fri, 5 Jul 2024 16:48:20 +0200
Subject: [PATCH] Fix xss in url comment

---
 .../ActivityComments/AddComment.tsx           | 22 ++++++++++++++++++-
 .../editors/TextEditor/toolbar/Link.tsx       | 14 ++++++++++++
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/src/components/activities/ActivityComments/AddComment.tsx b/src/components/activities/ActivityComments/AddComment.tsx
index 7c4d4975d..d19649e8c 100644
--- a/src/components/activities/ActivityComments/AddComment.tsx
+++ b/src/components/activities/ActivityComments/AddComment.tsx
@@ -43,8 +43,28 @@ export const AddComment = ({ activityId, activityType, activityPhase }: AddComme
     setNewComment('');
   };
 
+  const escapeHtml = (unsafe: string) => {
+    return unsafe.replace(/[&<>"']/g, (match) => {
+      switch (match) {
+        case '&':
+          return '&amp;';
+        case '<':
+          return '&lt;';
+        case '>':
+          return '&gt;';
+        case '"':
+          return '&quot;';
+        case "'":
+          return '&#039;';
+        default:
+          return match;
+      }
+    });
+  };
+
   const onCommentChange = (value: string, length: number) => {
-    setNewComment(value);
+    const sanitizedComment = escapeHtml(value);
+    setNewComment(sanitizedComment);
     setNewCommentLength(length);
   };
 
diff --git a/src/components/activities/content/editors/TextEditor/toolbar/Link.tsx b/src/components/activities/content/editors/TextEditor/toolbar/Link.tsx
index 3c18b4691..e0a4f0c1b 100644
--- a/src/components/activities/content/editors/TextEditor/toolbar/Link.tsx
+++ b/src/components/activities/content/editors/TextEditor/toolbar/Link.tsx
@@ -205,6 +205,20 @@ interface EditorLinkProps {
 }
 const EditorLink = ({ children, entityKey, contentState }: React.PropsWithChildren<EditorLinkProps>) => {
   const { url } = contentState.getEntity(entityKey).getData();
+
+  // Validation de l'URL avec une expression régulière
+  const urlPattern = /^(https?:\/\/)?[\w-]+(\.[\w-]+)+[/#?]?.*$/;
+  if (!urlPattern.test(url)) {
+    return null;
+  }
+
+  // Liste blanche des protocoles d'URL autorisés
+  const allowedProtocols = ['https:'];
+  const urlProtocol = new URL(url).protocol;
+  if (!allowedProtocols.includes(urlProtocol)) {
+    return null;
+  }
+
   return (
     <a href={url} target="_self" style={{ color: primaryColor, textDecoration: 'underline' }}>
       {children}