From c5bbc31f37f824334e0c8d582709e2320ac7a455 Mon Sep 17 00:00:00 2001
From: gtsp233 <gtsp233@gmail.com>
Date: Thu, 30 Nov 2023 23:36:39 -0500
Subject: [PATCH] feat: sanitize javascript url

---
 src/lib/src/components/NavBar/NavBarLink/index.js | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/lib/src/components/NavBar/NavBarLink/index.js b/src/lib/src/components/NavBar/NavBarLink/index.js
index 35e8ba56..0b13b70c 100644
--- a/src/lib/src/components/NavBar/NavBarLink/index.js
+++ b/src/lib/src/components/NavBar/NavBarLink/index.js
@@ -1,5 +1,7 @@
 import React from "react";
 
+const isJavaScriptProtocol = /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i
+
 const NavBarLink = (props) => {
 
   const {
@@ -12,9 +14,15 @@ const NavBarLink = (props) => {
     onClick,
     showBadge,
     imgBorderRadius,
-    badgeBackgroundColor
+    badgeBackgroundColor,
+    allowJavaScriptUrls = true
   } = props;
 
+  if (isJavaScriptProtocol.test(href) && !allowJavaScriptUrls) {
+    console.warn(`NavBarLink has blocked a javascript: URL as a security precaution`);
+    return null;
+  }
+
   const renderBadge = () => {
     if(showBadge > 0 || showBadge !== "") {
       return <div className="app-badge"