From 2f214b25c756d6f9cff08ac503397c1267f11b21 Mon Sep 17 00:00:00 2001
From: antelle <dmitryvit@gmail.com>
Date: Fri, 17 Apr 2020 20:45:41 +0200
Subject: [PATCH] filtering protocols in the url field

---
 app/scripts/views/fields/field-view-url.js | 29 ++++++++++++++++------
 1 file changed, 21 insertions(+), 8 deletions(-)

diff --git a/app/scripts/views/fields/field-view-url.js b/app/scripts/views/fields/field-view-url.js
index e5b65826..dedaf331 100644
--- a/app/scripts/views/fields/field-view-url.js
+++ b/app/scripts/views/fields/field-view-url.js
@@ -1,22 +1,35 @@
 import { FieldViewText } from 'views/fields/field-view-text';
 import { escape } from 'util/fn';
 
+const AllowedProtocols = ['http:', 'https:', 'ftp:', 'ftps:', 'mailto:'];
+
 class FieldViewUrl extends FieldViewText {
     displayUrlRegex = /^https:\/\//i;
     cssClass = 'url';
 
     renderValue(value) {
-        return value
-            ? '<a href="' +
-                  escape(this.fixUrl(value)) +
-                  '" rel="noreferrer noopener" target="_blank">' +
-                  escape(this.displayUrl(value)) +
-                  '</a>'
-            : '';
+        try {
+            return value
+                ? '<a href="' +
+                      escape(this.fixUrl(value)) +
+                      '" rel="noreferrer noopener" target="_blank">' +
+                      escape(this.displayUrl(value)) +
+                      '</a>'
+                : '';
+        } catch (e) {
+            return escape(value);
+        }
     }
 
     fixUrl(url) {
-        return url.indexOf(':') < 0 ? 'https://' + url : url;
+        const proto = new URL(url, 'dummy://').protocol;
+        if (proto === 'dummy:') {
+            return 'https://' + url;
+        }
+        if (!AllowedProtocols.includes(proto)) {
+            throw new Error('Bad url');
+        }
+        return url;
     }
 
     displayUrl(url) {