feat(router-core, react-router, solid-router, vue-router): isDangerousProtocol uses customizable blocklist #6542
+441
−114
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…sProtocol uses customizable blocklist
Contributor
📝 Walkthrough📝 Walkthrough🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches
Comment |
|
View your CI Pipeline Execution ↗ for commit 0783869
☁️ Nx Cloud last updated this comment at |
Sheraff
commented
Jan 29, 2026
Comment on lines
-127
to
-137
| // Block dangerous protocols in redirect href | ||
| if ( | ||
| !opts._builtLocation && | ||
| typeof opts.href === 'string' && | ||
| isDangerousProtocol(opts.href) | ||
| ) { | ||
| throw new Error( | ||
| `Redirect blocked: unsafe protocol in href "${opts.href}". Only ${SAFE_URL_PROTOCOLS.join(', ')} protocols are allowed.`, | ||
| ) | ||
| } | ||
|
|
Contributor
Author
There was a problem hiding this comment.
We don't need to check here, since a redirect() is always handled by something else that will check, right?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
blob:anddata:are widely used protocols (so we should have a way to allow them), but they can also be considered dangerous if displaying untrusted links (so we should have a way to block them)List of CVEs about unsafe URL protocols:
Summary by CodeRabbit
protocolBlocklistoption toRouterOptionsacross React Router, Solid Router, and Vue Router. Users can now customize which URL protocols are blocked for links, redirects, and navigation.DEFAULT_PROTOCOL_BLOCKLISTas a public constant for reference when customizing protocol blocking behavior.✏️ Tip: You can customize this high-level summary in your review settings.