From 04decacaca47205fa3a55a86369be230732b1d0a Mon Sep 17 00:00:00 2001
From: yflory <yann.flory@xwiki.com>
Date: Tue, 13 Nov 2018 14:18:09 +0100
Subject: [PATCH] Forbid JavaScript in links to the bounce app

---
 www/bounce/main.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/www/bounce/main.js b/www/bounce/main.js
index edb4f029c..6d631089f 100644
--- a/www/bounce/main.js
+++ b/www/bounce/main.js
@@ -9,6 +9,12 @@ define(['/api/config'], function (ApiConfig) {
         window.alert('The bounce application must only be used with a valid href to visit');
         return;
     }
+    if (bounceTo.indexOf('javascript:') === 0 ||
+        bounceTo.indexOf('vbscript:') === 0 ||
+        bounceTo.indexOf('data:') === 0) {
+        window.alert('Illegal bounce URL');
+        return;
+    }
     window.opener = null;
     window.location.href = bounceTo;
 });