gendesign/frontend/src
lekss361 6186804eb8 fix(docs): block javascript: URLs in renderMarkdown href (XSS guard)
Per audit batch #127 P2 security minor (issue #130).

## Risk

`renderMarkdown` substituted `[text](url)` → `<a href="...url...">` verbatim
без URL validation. Edge case: `[click](javascript:alert(1))` →
`<a href="javascript:alert(1)">click</a>` execute'нется при click.

Currently low risk (markdown source = build-time fs.readFileSync из
public/docs/, checked into repo), но защита-в-глубину: если когда-либо
markdown source станет user-supplied, vuln materialize.

## Fix

`frontend/src/app/docs/b2b-channels/renderMarkdown.ts`:

1. New `safeUrl(url)` function — allowlist `https://`, `http://`, `/`, `#`,
   `mailto:`. Everything else → `"#"`.
2. Link regex replacement switched from backreference string to callback
   so URL passes через `safeUrl` ДО injection в href.
3. URL unescape → safeUrl → re-escape (HTML escape applied per-line).

## Test cases verified

- `[ok](https://example.com)` → href=`https://example.com` 
- `[ok](/local)` → href=`/local` 
- `[ok](#anchor)` → href=`#anchor` 
- `[ok](mailto:foo@bar.com)` → href=`mailto:foo@bar.com` 
- `[bad](javascript:alert(1))` → href=`#` 
- `[bad](data:text/html,...)` → href=`#` 
- `[bad](vbscript:msgbox(1))` → href=`#` 

## Checks

- tsc: 0 errors
- lint: 0 warnings
- No existing `__tests__/renderMarkdown` to break

## Vault

`fixes/Bug_RenderMarkdown_JavascriptUrl_May14.md` — created.

Closes #130
2026-05-14 23:34:03 +03:00
..
app fix(docs): block javascript: URLs in renderMarkdown href (XSS guard) 2026-05-14 23:34:03 +03:00
components feat(site-finder): auto-fetch cadastre geometry on-demand (#93) (#95) 2026-05-12 09:02:17 +03:00
hooks feat(site-finder): auto-fetch cadastre geometry on-demand (#93) (#95) 2026-05-12 09:02:17 +03:00
lib feat(site-finder): auto-fetch cadastre geometry on-demand (#93) (#95) 2026-05-12 09:02:17 +03:00
types feat(site-finder): D4 pipeline 24mo — future competition (#36) (#90) 2026-05-12 08:34:02 +03:00