allow mailto links in js/unsafe-external-link

erik-krogh · erik-krogh · commit f7edf28d0d89 · 2020-08-31T16:01:28.000+02:00
diff --git a/javascript/ql/src/DOM/TargetBlank.ql b/javascript/ql/src/DOM/TargetBlank.ql
@@ -31,7 +31,9 @@ predicate hasDynamicHrefHostAttributeValue(DOM::ElementDefinition elem) {
       // fixed string with templating
       url.regexpMatch(Templating::getDelimiterMatchingRegexp()) and
       // ... that does not start with a fixed host or a relative path (common formats)
-      not url.regexpMatch("(?i)((https?:)?//)?[-a-z0-9.]*/.*")
+      not url.regexpMatch("(?i)((https?:)?//)?[-a-z0-9.]*/.*") and
+      // ... that is not a mailto: link
+      not url.regexpMatch("mailto:.*")
     )
   )
 }
diff --git a/javascript/ql/test/query-tests/DOM/TargetBlank/tst.html b/javascript/ql/test/query-tests/DOM/TargetBlank/tst.html
@@ -26,5 +26,8 @@ <h1>NOT OK, because of dynamic URL</h1>
   Example
 </a>
 
+<h1>OK: mailto is fine.</h1>
+<a target="_blank" href="mailto:{{var:mail}}">mail somone</a>
+
 </body>
 </html>

Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,9 @@ predicate hasDynamicHrefHostAttributeValue(DOM::ElementDefinition elem) {`
`31`	`31`	`// fixed string with templating`
`32`	`32`	`url.regexpMatch(Templating::getDelimiterMatchingRegexp()) and`
`33`	`33`	`// ... that does not start with a fixed host or a relative path (common formats)`
`34`		`- not url.regexpMatch("(?i)((https?:)?//)?[-a-z0-9.]/.")`
	`34`	`+ not url.regexpMatch("(?i)((https?:)?//)?[-a-z0-9.]/.") and`
	`35`	`+ // ... that is not a mailto: link`
	`36`	`+ not url.regexpMatch("mailto:.*")`
`35`	`37`	`)`
`36`	`38`	`)`
`37`	`39`	`}`