Apply code scanning fix for client-side url redirect

let's see how deep this rabbithole goes... Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
cooljeanius · Sep 21, 2024 · 0f81c09 · 0f81c09
1 parent 6549bb2
commit 0f81c09
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/src/texinfo/js/info.js b/src/texinfo/js/info.js
@@ -1543,8 +1543,13 @@ import DOMPurify from 'dompurify';
                         store.dispatch({ type: "section", hash: data.hash, section_hash: id } );
                       }
                 }
+                const allowedHashes = ['#section1', '#section2', '#section3']; // Example whitelist
                 let sanitizedHash = DOMPurify.sanitize(data.hash);
-                window.location.replace(sanitizedHash);
+                if (allowedHashes.includes(sanitizedHash)) {
+                    window.location.replace(sanitizedHash);
+                } else {
+                    console.warn('Attempted redirection to an untrusted URL fragment:', sanitizedHash);
+                }
             }
           else
             window.scroll (0, 0);