Skip to content

vmui: render unsafe markdown links as text in logs view#1470

Open
func25 wants to merge 6 commits into
masterfrom
fix-vmui-markdown-http-links
Open

vmui: render unsafe markdown links as text in logs view#1470
func25 wants to merge 6 commits into
masterfrom
fix-vmui-markdown-http-links

Conversation

@func25

@func25 func25 commented Jun 2, 2026

Copy link
Copy Markdown
Member

Only explicit http:// and https:// links are rendered as clickable links. Other markdown links and images are rendered as plain text.

Follow up aadc99b

@func25 func25 requested review from Loori-R and valyala June 2, 2026 00:00

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Re-trigger cubic

@Loori-R

Loori-R commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Updated the markdown link rendering changes:

  • moved link-related helpers into a separate markedLinks utility
  • kept only explicit inline http/https markdown links clickable
  • rendered reference-style links and reference definitions as plain text
  • rejected URL control characters, including C1 controls
  • added tests for XSS in link text, reference-style links, preserved definitions, and control-character URLs

export const hasInvalidURLChars = (value: string): boolean => {
for (const ch of value) {
const code = ch.charCodeAt(0);
if (code <= 0x20 || code === 0x7f || (code >= 0x80 && code <= 0x9f)) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why char codes bigger than 0x9f are considered as valid codes?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because this check is specifically about rejecting control characters, not rejecting non-ASCII characters in general.

0x00–0x20 and 0x7f are ASCII control/whitespace characters. 0x80–0x9f is the C1 control range. These characters are not useful in URLs and can create parsing/escaping ambiguities.

Characters above 0x9f are regular Unicode code points, not control characters. They can be valid in URLs after new URL() parsing/normalization, for example in IDN domains or non-ASCII paths.

So > 0x9f is intentionally allowed here. Final URL validation is still done by new URL(href) and the explicit http/https protocol check.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Loori-R there are some invisible/bidi code points above 0x9f, wdyt about using:

const forbiddenURLCharsRegex = /[\p{Cc}\p{Cf}\p{Zs}\p{Zl}\p{Zp}\p{Default_Ignorable_Code_Point}]/u;
forbiddenURLCharsRegex.test(value);

Just got idea from this

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is stricter, but it makes sense for clickable URLs in logs.

func25 and others added 2 commits June 28, 2026 07:36
Signed-off-by: Phuong Le <39565248+func25@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants