fix: security-issues: Client-side URL redirect (binary-com#7600)

sanjam-deriv · Mar 13, 2023 · ae46572 · ae46572
1 parent 1d02272
commit ae46572
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 5 deletions.
diff --git a/packages/reports/src/Containers/open-positions.jsx b/packages/reports/src/Containers/open-positions.jsx
@@ -203,6 +203,8 @@ export const OpenPositionsTable = ({
     </React.Fragment>
 );
 
+const portfoliows_href = urlFor('user/portfoliows', { legacy: true });
+
 const getRowAction = row_obj =>
     row_obj.is_unsupported
         ? {
@@ -218,7 +220,7 @@ const getRowAction = row_obj =>
                               className='link link--orange'
                               rel='noopener noreferrer'
                               target='_blank'
-                              href={urlFor('user/portfoliows', { legacy: true })}
+                              href={portfoliows_href}
                           />,
                       ]}
                   />

diff --git a/packages/reports/src/Containers/profit-table.jsx b/packages/reports/src/Containers/profit-table.jsx
@@ -16,6 +16,8 @@ import PlaceholderComponent from '../Components/placeholder-component.jsx';
 import { ReportsMeta } from '../Components/reports-meta.jsx';
 import { getProfitTableColumnsTemplate } from 'Constants/data-table-constants';
 
+const profit_tablews_href = urlFor('user/profit_tablews', { legacy: true });
+
 const getRowAction = row_obj =>
     getSupportedContracts()[extractInfoFromShortcode(row_obj.shortcode).category.toUpperCase()] &&
     !isForwardStarting(row_obj.shortcode, row_obj.purchase_time_unix)
@@ -33,7 +35,7 @@ const getRowAction = row_obj =>
                               className='link link--orange'
                               rel='noopener noreferrer'
                               target='_blank'
-                              href={urlFor('user/profit_tablews', { legacy: true })}
+                              href={profit_tablews_href}
                           />,
                       ]}
                   />

diff --git a/packages/reports/src/Containers/statement.jsx b/packages/reports/src/Containers/statement.jsx
@@ -52,6 +52,8 @@ const DetailsComponent = ({ message = '', action_type = '' }) => {
     );
 };
 
+const statementws_href = urlFor('user/statementws', { legacy: true });
+
 const getRowAction = row_obj => {
     let action;
     if (row_obj.id && ['buy', 'sell'].includes(row_obj.action_type)) {
@@ -72,7 +74,7 @@ const getRowAction = row_obj => {
                                       className='link link--orange'
                                       rel='noopener noreferrer'
                                       target='_blank'
-                                      href={urlFor('user/statementws', { legacy: true })}
+                                      href={statementws_href}
                                   />,
                               ]}
                           />

diff --git a/packages/trader/src/App/Containers/Modals/trade-modals.jsx b/packages/trader/src/App/Containers/Modals/trade-modals.jsx
@@ -47,7 +47,8 @@ const TradeModals = ({
     };
 
     const unsupportedContractOnClose = () => {
-        window.open(urlFor('user/portfoliows', { legacy: true }), '_blank');
+        const portfoliows_url = urlFor('user/portfoliows', { legacy: true });
+        window.open(portfoliows_url, '_blank');
         unsupportedContractOnConfirm(false);
     };
 

diff --git a/packages/trader/src/Modules/Contract/Containers/contract-replay.jsx b/packages/trader/src/Modules/Contract/Containers/contract-replay.jsx
@@ -98,7 +98,8 @@ const ContractReplay = ({
     };
 
     const unsupportedContractOnClose = () => {
-        window.open(urlFor('user/statementws', { legacy: true }), '_blank');
+        const statementws_url = urlFor('user/statementws', { legacy: true });
+        window.open(statementws_url, '_blank');
     };
 
     return (