Metrics: Add a validation for links in dashboard yml to prevent malicious links
Goal
As part of &3315 some links in in the dashboard will be sent "raw" to the frontend and they could contain malicious URLs that will be rendered as href
s (e.g. "javascript:alert("XSS")
".
The links could be validated on the backend to clean them up.
Original Discussion
The following discussion from !32646 (merged) should be addressed:
-
@mrincon started a discussion: (+2 comments) @gitlab-com/gl-security/appsec
👋 This feature allows users to add arbitrary links and display them in the UI.I added a basic check with
isSafeURL
on the frontend and tend to think that this is enough. The links are not validated in backend. Please let me know if think further actions should be taken.