vmui: render unsafe markdown links as text in logs view#1470
Conversation
|
Updated the markdown link rendering changes:
|
| export const hasInvalidURLChars = (value: string): boolean => { | ||
| for (const ch of value) { | ||
| const code = ch.charCodeAt(0); | ||
| if (code <= 0x20 || code === 0x7f || (code >= 0x80 && code <= 0x9f)) { |
There was a problem hiding this comment.
Why char codes bigger than 0x9f are considered as valid codes?
There was a problem hiding this comment.
Because this check is specifically about rejecting control characters, not rejecting non-ASCII characters in general.
0x00–0x20 and 0x7f are ASCII control/whitespace characters. 0x80–0x9f is the C1 control range. These characters are not useful in URLs and can create parsing/escaping ambiguities.
Characters above 0x9f are regular Unicode code points, not control characters. They can be valid in URLs after new URL() parsing/normalization, for example in IDN domains or non-ASCII paths.
So > 0x9f is intentionally allowed here. Final URL validation is still done by new URL(href) and the explicit http/https protocol check.
There was a problem hiding this comment.
This is stricter, but it makes sense for clickable URLs in logs.
Signed-off-by: Phuong Le <39565248+func25@users.noreply.github.com>
Only explicit
http://andhttps://links are rendered as clickable links. Other markdown links and images are rendered as plain text.Follow up aadc99b