Merged
Conversation
test: improve utils test clarity and performance
* Initial plan * Fix import paths and add error handling in agents.md documentation Co-authored-by: JosunLP <20913954+JosunLP@users.noreply.github.com> * Complete: All fixes applied and verified Co-authored-by: JosunLP <20913954+JosunLP@users.noreply.github.com> * Remove package-lock.json and add to gitignore Co-authored-by: JosunLP <20913954+JosunLP@users.noreply.github.com> * Address PR review comments: add statusText and validate reply type Co-authored-by: JosunLP <20913954+JosunLP@users.noreply.github.com> --------- Co-authored-by: Jonas Pfalzgraf <info@josunlp.de> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: JosunLP <20913954+JosunLP@users.noreply.github.com>
* Initial plan * Add automatic rel="noopener noreferrer" to external links in sanitizer Co-authored-by: JosunLP <20913954+JosunLP@users.noreply.github.com> * Update documentation for automatic link security feature Co-authored-by: JosunLP <20913954+JosunLP@users.noreply.github.com> * Fix isExternalUrl for Node.js and protocol-relative URLs Co-authored-by: JosunLP <20913954+JosunLP@users.noreply.github.com> * Handle special protocols and edge cases in rel attribute parsing Co-authored-by: JosunLP <20913954+JosunLP@users.noreply.github.com> * Fix case-sensitivity and whitespace handling in URL checks Co-authored-by: JosunLP <20913954+JosunLP@users.noreply.github.com> --------- Co-authored-by: Jonas Pfalzgraf <info@josunlp.de> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: JosunLP <20913954+JosunLP@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR enhances link security in bQuery's HTML sanitizer by automatically adding rel="noopener noreferrer" to external and target="_blank" links to prevent tabnabbing and referrer leakage vulnerabilities. The changes include comprehensive test coverage and updated documentation across multiple guides.
Changes:
- Added automatic
rel="noopener noreferrer"to links withtarget="_blank"or external URLs in the sanitizer - Added comprehensive test coverage for the new link security feature with 102 new test lines covering edge cases
- Fixed import paths in agents documentation and improved error handling examples
- Updated security documentation with detailed examples of the new link security behavior
Reviewed changes
Copilot reviewed 8 out of 9 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| src/security/sanitize.ts | Added isExternalUrl helper function and logic to automatically add rel="noopener noreferrer" to external/target="_blank" links; added rel and target to allowed attributes |
| tests/security.test.ts | Added 102 lines of comprehensive tests covering link security behavior including edge cases for protocols, casing, whitespace, SSR environments, and rel preservation |
| tests/utils.test.ts | Minor test improvements: renamed loop variable for clarity and added explicit assertion for prototype pollution test |
| docs/guide/security.md | Added new "Automatic Link Security" section with detailed examples demonstrating the feature |
| docs/guide/agents.md | Fixed import paths to use package-scoped imports and improved error handling in example code |
| README.md | Added example demonstrating automatic link security feature |
| CHANGELOG.md | Added version 1.1.2 entry documenting the security enhancement and documentation fixes |
| package.json | Bumped version from 1.1.1 to 1.1.2 |
| .gitignore | Added package-lock.json to gitignore |
Contributor
…13) * Initial plan * Add critical comment explaining protocol-relative URL check Co-authored-by: JosunLP <20913954+JosunLP@users.noreply.github.com> * Update src/security/sanitize.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: JosunLP <20913954+JosunLP@users.noreply.github.com> Co-authored-by: Jonas Pfalzgraf <info@josunlp.de> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request focuses on improving link security in the HTML sanitizer by automatically adding
rel="noopener noreferrer"to external andtarget="_blank"links, updating documentation and tests accordingly, and making minor documentation and test improvements. These changes help prevent tabnabbing and referrer leakage vulnerabilities while ensuring the sanitizer's behavior is well-documented and robustly tested.Security enhancements:
sanitize.tsto automatically addrel="noopener noreferrer"to<a>tags that either havetarget="_blank"or point to external domains, including protocol-relative URLs and special protocols likemailto:andtel:. Existingrelvalues are preserved and merged. [1] [2]relandtarget.Documentation updates:
CHANGELOG.mdto document the security improvements and documentation fixes.docs/guide/security.md) with a new section on automatic link security, including code examples for various link scenarios.README.mdto demonstrate the new link security behavior.Testing improvements:
security.test.tsto cover the new link security behavior, including edge cases for various protocols, casing, whitespace, SSR/Node.js environments, and preservation of existingrelvalues.Version bump:
1.1.2inpackage.jsonto reflect the new release.