Skip to content

fix(security): validate URL scheme before rendering href to block javascript: XSS #102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
aaronjmars wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix(security): validate URL scheme before rendering href to block javascript: XSS #102

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
39b17fe
fix(security): validate URL scheme before rendering href
aaronjmars May 4, 2026
39ac3ed
fix(security): strip C0 controls + DEL in safeUrl before scheme check
aaronjmars May 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 18 additions & 3 deletions skills/company-research/scripts/compile_report.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,20 @@ function escapeHtml(str) {
return (str || '').replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
}

// Reject any URL whose scheme isn't http(s)/mailto so the company `website`
// field can't smuggle a `javascript:` payload into the rendered href.
function safeUrl(u) {
if (!u || typeof u !== 'string') return null;
// Strip C0 controls + DEL before any scheme check. The WHATWG URL parser
// removes these before parsing, so `java\tscript:` reaches the browser as
// `javascript:` and runs — but the scheme regex below wouldn't catch it
// because `[a-z0-9+.-]` rejects the tab and falls through to return trimmed.
const trimmed = u.trim().replace(/[\x00-\x1F\x7F]/g, '');
if (/^(\/\/|https?:\/\/|mailto:)/i.test(trimmed)) return trimmed;
if (/^[a-z][a-z0-9+.-]*:/i.test(trimmed)) return null;
return trimmed;
}

function scoreClass(score) {
const s = parseInt(score) || 0;
if (s >= 8) return 'high';
Expand Down Expand Up @@ -205,8 +219,9 @@ const tableRows = deduped.map(c => {
const nameHtml = hasDetail
? `<a href="companies/${c.slug}.html">${escapeHtml(c.company_name)}</a>`
: escapeHtml(c.company_name);
const websiteHtml = c.website
? `<br><a href="${escapeHtml(c.website)}" target="_blank" style="font-size:0.75rem;color:var(--muted);">${escapeHtml(c.website.replace(/^https?:\/\/(www\.)?/, ''))}</a>`
const safeWebsite = safeUrl(c.website);
const websiteHtml = safeWebsite
? `<br><a href="${escapeHtml(safeWebsite)}" target="_blank" rel="noopener" style="font-size:0.75rem;color:var(--muted);">${escapeHtml(safeWebsite.replace(/^https?:\/\/(www\.)?/, ''))}</a>`
: '';
return ` <tr>
<td><span class="score ${sc}">${escapeHtml(c.icp_fit_score || '—')}</span></td>
Expand Down Expand Up @@ -289,7 +304,7 @@ for (const c of deduped) {
<h1>${escapeHtml(c.company_name)}</h1>
<div class="meta">
<span class="score-badge ${sc}">ICP Score: ${escapeHtml(c.icp_fit_score || '—')}</span>
${c.website ? `<a href="${escapeHtml(c.website)}" target="_blank">${escapeHtml(c.website)}</a>` : ''}
${(() => { const s = safeUrl(c.website); return s ? `<a href="${escapeHtml(s)}" target="_blank" rel="noopener">${escapeHtml(s)}</a>` : ''; })()}
</div>
</header>
<dl class="fields">
Expand Down
43 changes: 33 additions & 10 deletions skills/event-prospecting/scripts/compile_report.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,21 @@ function escapeJsInAttr(str) {
return escapeAttr(js);
}

// Reject any URL whose scheme isn't http(s)/mailto, so attacker-controlled
// fields (LinkedIn, X, GitHub, blog, podcast, image, company website) can't
// smuggle a `javascript:` payload into a rendered href.
function safeUrl(u) {
if (!u || typeof u !== 'string') return null;
// Strip C0 controls + DEL before any scheme check. The WHATWG URL parser
// removes these before parsing, so `java\tscript:` reaches the browser as
// `javascript:` and runs — but the scheme regex below wouldn't catch it
// because `[a-z0-9+.-]` rejects the tab and falls through to return trimmed.
const trimmed = u.trim().replace(/[\x00-\x1F\x7F]/g, '');
if (/^(\/\/|https?:\/\/|mailto:)/i.test(trimmed)) return trimmed;
if (/^[a-z][a-z0-9+.-]*:/i.test(trimmed)) return null;
return trimmed;
}
Comment thread
cursor[bot] marked this conversation as resolved.

function scoreClass(score) {
const s = parseInt(score) || 0;
if (s >= 8) return 'high';
Expand Down Expand Up @@ -386,8 +401,9 @@ function renderPersonCard(person, company) {
podcast: person.podcast || null,
};
const linkPills = ['linkedin', 'x', 'github', 'blog', 'podcast']
.filter(k => links[k])
.map(k => `<a class="link-pill link-${k}" href="${escapeHtml(links[k])}" target="_blank" rel="noopener">${k.toUpperCase()}</a>`)
.map(k => ({ k, safe: safeUrl(links[k]) }))
.filter(({ safe }) => safe)
.map(({ k, safe }) => `<a class="link-pill link-${k}" href="${escapeHtml(safe)}" target="_blank" rel="noopener">${k.toUpperCase()}</a>`)
.join(' ');

const score = c.icp_fit_score || person.icp_fit_score || '?';
Expand All @@ -396,8 +412,9 @@ function renderPersonCard(person, company) {
const hook = person.hook || extractSection(person.body, 'Hook') || '—';
const roleReason = person.role_reason || extractSection(person.body, 'Why the person') || '—';
const dmOpener = person.dm_opener || extractSection(person.body, 'DM Opener') || '';
const photo = person.image
? `<img class="photo" src="${escapeHtml(person.image)}" alt="${escapeHtml(person.name || '')}" loading="lazy" referrerpolicy="no-referrer" onerror="this.replaceWith(Object.assign(document.createElement('div'),{className:'photo photo-placeholder',textContent:'${escapeJsInAttr(initials(person.name))}'}))">`
const safeImage = safeUrl(person.image);
const photo = safeImage
? `<img class="photo" src="${escapeHtml(safeImage)}" alt="${escapeHtml(person.name || '')}" loading="lazy" referrerpolicy="no-referrer" onerror="this.replaceWith(Object.assign(document.createElement('div'),{className:'photo photo-placeholder',textContent:'${escapeJsInAttr(initials(person.name))}'}))">`
: `<div class="photo photo-placeholder">${escapeHtml(initials(person.name))}</div>`;

return `<div class="person-card" data-slug="${escapeHtml(person.slug)}" data-company="${escapeHtml((person.company || '').toLowerCase())}" data-role="${escapeHtml(roleBucket(person.title))}" data-icpband="${band}" data-icp-score="${escapeHtml(String(score))}">
Expand Down Expand Up @@ -566,8 +583,9 @@ function renderGroupedByCompany(personList) {
const nameHtml = hasDetail
? `<a href="companies/${escapeHtml(company.slug)}.html">${escapeHtml(company.company_name)}</a>`
: escapeHtml(company.company_name);
const websiteHtml = company.website
? ` &middot; <a href="${escapeHtml(company.website)}" target="_blank" rel="noopener">${escapeHtml(company.website.replace(/^https?:\/\/(www\.)?/, ''))}</a>`
const safeCompanyWebsite = safeUrl(company.website);
const websiteHtml = safeCompanyWebsite
? ` &middot; <a href="${escapeHtml(safeCompanyWebsite)}" target="_blank" rel="noopener">${escapeHtml(safeCompanyWebsite.replace(/^https?:\/\/(www\.)?/, ''))}</a>`
: '';
const metaBits = [
`${members.length} speaker${members.length === 1 ? '' : 's'}`,
Expand Down Expand Up @@ -656,15 +674,20 @@ function renderCompaniesTable() {
const nameHtml = hasDetail
? `<a href="companies/${c.slug}.html">${escapeHtml(c.company_name)}</a>`
: escapeHtml(c.company_name);
const websiteHtml = c.website
? `<br><a href="${escapeHtml(c.website)}" target="_blank" style="font-size:0.75rem;color:var(--muted);">${escapeHtml(c.website.replace(/^https?:\/\/(www\.)?/, ''))}</a>`
const safeWebsite = safeUrl(c.website);
const websiteHtml = safeWebsite
? `<br><a href="${escapeHtml(safeWebsite)}" target="_blank" rel="noopener" style="font-size:0.75rem;color:var(--muted);">${escapeHtml(safeWebsite.replace(/^https?:\/\/(www\.)?/, ''))}</a>`
: '';
const key = c.slug || (c.company_name || '').toLowerCase();
const attendees = byCompany.get(key) || [];
const attendeeBlock = attendees.length ? `
<details class="attendees">
<summary>${attendees.length} attendee${attendees.length === 1 ? '' : 's'}</summary>
<ul>${attendees.map(a => `<li><strong>${escapeHtml(a.name || a.slug)}</strong>${a.title ? ' &mdash; ' + escapeHtml(a.title) : ''}${(a.links && a.links.linkedin) ? ` &middot; <a href="${escapeHtml(a.links.linkedin)}" target="_blank" rel="noopener">LinkedIn</a>` : ''}</li>`).join('')}</ul>
<ul>${attendees.map(a => {
const safeLinkedin = safeUrl(a.links && a.links.linkedin);
const linkedinHtml = safeLinkedin ? ` &middot; <a href="${escapeHtml(safeLinkedin)}" target="_blank" rel="noopener">LinkedIn</a>` : '';
return `<li><strong>${escapeHtml(a.name || a.slug)}</strong>${a.title ? ' &mdash; ' + escapeHtml(a.title) : ''}${linkedinHtml}</li>`;
}).join('')}</ul>
</details>` : '';
return ` <tr>
<td><span class="score ${sc}">${escapeHtml(c.icp_fit_score || '—')}</span></td>
Expand Down Expand Up @@ -802,7 +825,7 @@ for (const c of deduped) {
<h1>${escapeHtml(c.company_name)}</h1>
<div class="meta">
<span class="score-badge ${sc}">ICP Score: ${escapeHtml(c.icp_fit_score || '—')}</span>
${c.website ? `<a href="${escapeHtml(c.website)}" target="_blank">${escapeHtml(c.website)}</a>` : ''}
${(() => { const s = safeUrl(c.website); return s ? `<a href="${escapeHtml(s)}" target="_blank" rel="noopener">${escapeHtml(s)}</a>` : ''; })()}
</div>
</header>
<dl class="fields">
Expand Down