[PR #601] [CLOSED] fix: reject dangerous URI schemes in client-side navigation #702

New issue

Closed

opened 2026-05-06 13:09:39 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 13:09:39 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/cloudflare/vinext/pull/601
Author: @southpolesteve
Created: 3/20/2026
Status: ❌ Closed

Base: main ← Head: fix/block-dangerous-uri-schemes

📝 Commits (2)

fa1bef8 fix: reject dangerous URI schemes in client-side navigation
83f98d7 test: update browser entry snapshot for dangerous scheme check

📊 Changes

4 files changed (+20 additions, -0 deletions)

View changed files

📝 packages/vinext/src/entries/app-browser-entry.ts (+4 -0)
📝 packages/vinext/src/shims/navigation.ts (+3 -0)
📝 packages/vinext/src/shims/router.ts (+9 -0)
📝 tests/__snapshots__/entry-templates.test.ts.snap (+4 -0)

📄 Description

Summary

Client-side navigation functions now reject javascript:, data:, and vbscript: URI schemes before navigating.
Applied to all navigation entry points: Pages Router push/replace (both hook and singleton), App Router navigateImpl(), and the server action x-action-redirect handler.

Details

The client router passed URLs to window.location.assign() / window.location.replace() without validating the URI scheme. If application code called router.push() or router.replace() with untrusted input (e.g., a query parameter), dangerous schemes like javascript: would be navigated to.

The fix uses the existing isDangerousScheme() utility from url-safety.ts, which is already used by the Link and Form components. The server action redirect handler (x-action-redirect) gets an inline check since it lives in generated code.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/cloudflare/vinext/pull/601 **Author:** [@southpolesteve](https://github.com/southpolesteve) **Created:** 3/20/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `fix/block-dangerous-uri-schemes` --- ### 📝 Commits (2) - [`fa1bef8`](https://github.com/cloudflare/vinext/commit/fa1bef840e6e707e4f9ffa4621ca110cb0cd68f1) fix: reject dangerous URI schemes in client-side navigation - [`83f98d7`](https://github.com/cloudflare/vinext/commit/83f98d779e813a20bf4703fdde41f61b6ca9c8d2) test: update browser entry snapshot for dangerous scheme check ### 📊 Changes **4 files changed** (+20 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `packages/vinext/src/entries/app-browser-entry.ts` (+4 -0) 📝 `packages/vinext/src/shims/navigation.ts` (+3 -0) 📝 `packages/vinext/src/shims/router.ts` (+9 -0) 📝 `tests/__snapshots__/entry-templates.test.ts.snap` (+4 -0) </details> ### 📄 Description ## Summary - Client-side navigation functions now reject `javascript:`, `data:`, and `vbscript:` URI schemes before navigating. - Applied to all navigation entry points: Pages Router `push`/`replace` (both hook and singleton), App Router `navigateImpl()`, and the server action `x-action-redirect` handler. ## Details The client router passed URLs to `window.location.assign()` / `window.location.replace()` without validating the URI scheme. If application code called `router.push()` or `router.replace()` with untrusted input (e.g., a query parameter), dangerous schemes like `javascript:` would be navigated to. The fix uses the existing `isDangerousScheme()` utility from `url-safety.ts`, which is already used by the `Link` and `Form` components. The server action redirect handler (`x-action-redirect`) gets an inline check since it lives in generated code. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>