fix: escape external links to prevent xss

src/lib/serializerHelpers.ts

@@ -55,7 +55,7 @@ export const serializeHyperlink = (
 ): string => {
 	switch (node.data.link_type) {
 		case LinkType.Web: {
-			return `<a href="${node.data.url}" target="${
+			return `<a href="${escapeHtml(node.data.url)}" target="${
 				node.data.target
 			}" rel="noopener noreferrer"${getLabel(node)}>${children.join("")}</a>`;
 		}

test/__fixtures__/richText.ts

@@ -1,7 +1,9 @@
 import { RichTextField } from "@prismicio/types";
 
 import enRichTextJSON from "./enRichText.json";
+import xssRichTextJSON from "./xssRichText.json";
 
 export const richTextFixture = {
 	en: enRichTextJSON as RichTextField,
+	xss: xssRichTextJSON as RichTextField,
 };

test/__fixtures__/xssRichText.json

@@ -0,0 +1,32 @@
+[
+	{
+		"type": "paragraph",
+		"text": "This is a link with XSS.",
+		"spans": [
+			{
+				"start": 10,
+				"end": 14,
+				"type": "hyperlink",
+				"data": {
+					"link_type": "Web",
+					"url": "https://example.org\" onmouseover=\"alert(document.cookie);"
+				}
+			}
+		]
+	},
+	{
+		"type": "paragraph",
+		"text": "This is a normal link.",
+		"spans": [
+			{
+				"start": 17,
+				"end": 21,
+				"type": "hyperlink",
+				"data": {
+					"link_type": "Web",
+					"url": "https://prismic.io"
+				}
+			}
+		]
+	}
+]

test/asHTML.test.ts

@@ -18,3 +18,7 @@ test("serializes with a custom function serializer", (t) => {
 test("serializes with a custom map serializer", (t) => {
 	t.snapshot(asHTML(richTextFixture.en, linkResolver, htmlMapSerializer));
 });
+
+test("escapes external links to prevent XSS", (t) => {
+	t.snapshot(asHTML(richTextFixture.xss, linkResolver));
+});

test/snapshots/asHTML.test.ts.md

@@ -21,3 +21,9 @@ Generated by [AVA](https://avajs.dev).
 > Snapshot 1
 
     '<h2>Lorem ipsum dolor sit amet.</h2><h2>Lorem ipsum dolor sit amet.</h2><h3>Lorem ipsum dolor sit amet.</h3><h4>Lorem ipsum dolor sit amet.</h4><h5>Lorem ipsum dolor sit amet.</h5><h6>Lorem ipsum dolor sit amet.</h6><p>Lorem ipsum dolor sit amet.</p><p></p><h2>Lorem ipsum dolor <strong>sit amet</strong>, consectetur <em>adipiscing elit</em>, sed do eiusmod tempor incididunt ut labore et dolore <span class="label">magna aliqua</span>. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea <a href="https://google.com" target="undefined" rel="noopener noreferrer">commodo consequat</a>. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat <a href="/home">nulla pariatur</a>. Excepteur sint occaecat cupidatat <a href="https://images.prismic.io/200629-sms-hoy/f0a757f6-770d-4eb8-a08b-f1727f1a58e4_guilherme-romano-KI2KaOeT670-unsplash.jpg?auto=compress,format">non proident</a>, sunt in culpa qui officia deserunt mollit anim id est laborum.</h2><p>Lorem ipsum dolor <strong>sit amet</strong>, consectetur <em>adipiscing elit</em>, sed do eiusmod tempor incididunt ut labore et dolore <span class="testLabel">magna aliqua</span>. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea <a href="https://google.com" target="undefined" rel="noopener noreferrer">commodo consequat</a>. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat <a href="/home">nulla pariatur</a>. Excepteur sint occaecat cupidatat <a href="https://images.prismic.io/200629-sms-hoy/f0a757f6-770d-4eb8-a08b-f1727f1a58e4_guilherme-romano-KI2KaOeT670-unsplash.jpg?auto=compress,format">non proident</a>, sunt in culpa qui officia deserunt mollit anim id est laborum.</p><ol><li>Lorem ipsum dolor <strong>sit amet</strong>, consectetur <em>adipiscing elit</em>, sed do eiusmod tempor incididunt ut labore et dolore <span class="label">magna aliqua</span>. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea <a href="https://google.com" target="undefined" rel="noopener noreferrer">commodo consequat</a>. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat <a href="/home">nulla pariatur</a>. Excepteur sint occaecat cupidatat <a href="https://images.prismic.io/200629-sms-hoy/f0a757f6-770d-4eb8-a08b-f1727f1a58e4_guilherme-romano-KI2KaOeT670-unsplash.jpg?auto=compress,format">non proident</a>, sunt in culpa qui officia deserunt mollit anim id est laborum.</li><li>Lorem ipsum dolor sit amet.</li><li>Lorem ipsum dolor sit amet.</li></ol><ul><li>Lorem ipsum dolor <strong>sit amet</strong>, consectetur <em>adipiscing elit</em>, sed do eiusmod tempor incididunt ut labore et dolore <span class="label">magna aliqua</span>. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea <a href="https://google.com" target="undefined" rel="noopener noreferrer">commodo consequat</a>. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat <a href="/home">nulla pariatur</a>. Excepteur sint occaecat cupidatat <a href="https://images.prismic.io/200629-sms-hoy/f0a757f6-770d-4eb8-a08b-f1727f1a58e4_guilherme-romano-KI2KaOeT670-unsplash.jpg?auto=compress,format">non proident</a>, sunt in culpa qui officia deserunt mollit anim id est laborum.</li><li>Lorem ipsum dolor sit amet.</li><li>Lorem ipsum dolor sit amet.</li></ul><p>Lorem ipsum dolor <strong>sit amet</strong>, consectetur <em>adipiscing elit</em>, sed do eiusmod tempor incididunt ut labore et dolore <span class="label">magna aliqua</span>. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea <a href="https://google.com" target="undefined" rel="noopener noreferrer">commodo consequat</a>. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat <a href="/home">nulla pariatur</a>. Excepteur sint occaecat cupidatat <a href="https://images.prismic.io/200629-sms-hoy/f0a757f6-770d-4eb8-a08b-f1727f1a58e4_guilherme-romano-KI2KaOeT670-unsplash.jpg?auto=compress,format">non proident</a>, sunt in culpa qui officia deserunt mollit anim id est laborum.</p><p>Lorem ipsum dolor <strong>sit amet</strong>, consectetur <em>adipiscing elit</em>, sed do eiusmod tempor incididunt ut labore et dolore <span class="label">magna aliqua</span>. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea <a href="https://google.com" target="undefined" rel="noopener noreferrer">commodo consequat</a>. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat <a href="/home">nulla pariatur</a>. Excepteur sint occaecat cupidatat <a href="https://images.prismic.io/200629-sms-hoy/f0a757f6-770d-4eb8-a08b-f1727f1a58e4_guilherme-romano-KI2KaOeT670-unsplash.jpg?auto=compress,format">non proident</a>, sunt in culpa qui offic<span class="testLabel">ia deserunt mollit anim id est laborum.</span></p><img src="https://images.prismic.io/200629-sms-hoy/f0a757f6-770d-4eb8-a08b-f1727f1a58e4_guilherme-romano-KI2KaOeT670-unsplash.jpg?auto=compress,format" alt="An Atlantic Puffin" /><img src="https://images.prismic.io/200629-sms-hoy/f0a757f6-770d-4eb8-a08b-f1727f1a58e4_guilherme-romano-KI2KaOeT670-unsplash.jpg?auto=compress,format" alt="An Atlantic Puffin" copyright="Unsplash" /><p><span class="testLabel">Lorem ipsum dolor <strong>sit amet</strong>, consecte</span>tur <em>adipiscing elit</em>, sed do eiusmod tempor incididunt ut labore et dolore <span class="label">magna aliqua</span>. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea <a href="https://google.com" target="undefined" rel="noopener noreferrer">commodo consequat</a>. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat <a href="/home">nulla pariatur</a>. Excepteur sint occaecat cupidatat <a href="https://images.prismic.io/200629-sms-hoy/f0a757f6-770d-4eb8-a08b-f1727f1a58e4_guilherme-romano-KI2KaOeT670-unsplash.jpg?auto=compress,format">non proident</a>, sunt in culpa qui officia deserunt mollit anim id est laborum.</p><img src="https://images.prismic.io/200629-sms-hoy/f0a757f6-770d-4eb8-a08b-f1727f1a58e4_guilherme-romano-KI2KaOeT670-unsplash.jpg?auto=compress,format" alt="An Atlantic Puffin" /><p><span class="label">Lorem ipsum dolor <strong>sit amet</strong>, consecte</span>tur <em>adipiscing elit</em>, sed do eiusmod tempor incididunt ut labore et dolore <span class="label">magna aliqua</span>. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea <a href="https://google.com" target="undefined" rel="noopener noreferrer">commodo consequat</a>. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat <a href="/home">nulla pariatur</a>. Excepteur sint occaecat cupidatat <a href="https://images.prismic.io/200629-sms-hoy/f0a757f6-770d-4eb8-a08b-f1727f1a58e4_guilherme-romano-KI2KaOeT670-unsplash.jpg?auto=compress,format">non proident</a>, sunt in culpa qui officia deserunt mollit anim id est laborum.</p><pre>Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.</pre><p><span class="label">Lorem ipsum dolor <strong>sit amet</strong>, consecte</span>tur <em>adipiscing elit</em>, sed do eiusmod tempor incididunt ut labore et dolore <span class="label">magna aliqua</span>. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea <a href="https://google.com" target="undefined" rel="noopener noreferrer">commodo consequat</a>. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat <a href="/home">nulla pariatur</a>. Excepteur sint occaecat cupidatat <a href="https://images.prismic.io/200629-sms-hoy/f0a757f6-770d-4eb8-a08b-f1727f1a58e4_guilherme-romano-KI2KaOeT670-unsplash.jpg?auto=compress,format">non proident</a>, sunt in culpa qui officia deserunt mollit anim id est laborum.</p><div data-oembed="https://www.youtube.com/watch?v=n5CwXuyNfoc" data-oembed-type="video" data-oembed-provider="YouTube"><iframe width="200" height="113" src="https://www.youtube.com/embed/n5CwXuyNfoc?feature=oembed" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></div><p><span class="label">Lorem ipsum dolor <strong>sit amet</strong>, consecte</span>tur <em>adipiscing elit</em>, sed do eiusmod tempor incididunt ut labore et dolore <span class="label">magna aliqua</span>. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea <a href="https://google.com" target="undefined" rel="noopener noreferrer">commodo consequat</a>. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat <a href="/home">nulla pariatur</a>. Excepteur sint occaecat cupidatat <a href="https://images.prismic.io/200629-sms-hoy/f0a757f6-770d-4eb8-a08b-f1727f1a58e4_guilherme-romano-KI2KaOeT670-unsplash.jpg?auto=compress,format">non proident</a>, sunt in culpa qui officia deserunt mollit anim id est laborum.</p>'
+
+## escapes external links to prevent XSS
+
+> Snapshot 1
+
+    '<p>This is a <a href="https://example.org&quot; onmouseover=&quot;alert(document.cookie);" target="undefined" rel="noopener noreferrer">link</a> with XSS.</p><p>This is a normal <a href="https://prismic.io" target="undefined" rel="noopener noreferrer">link</a>.</p>'