bug-fix: Fix cross site scripting vulnerability in OGTag (#907)

chohongm · web-flow · commit 182a9d4245e0 · 2024-01-05T15:48:38.000+09:00
Fixes: [CLNP-1845](https://sendbird.atlassian.net/browse/CLNP-1845) ### Changelogs - Fixed cross site scripting vulnerability in OGTag [CLNP-1845]: https://sendbird.atlassian.net/browse/CLNP-1845?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ
diff --git a/src/ui/OGMessageItemBody/index.tsx b/src/ui/OGMessageItemBody/index.tsx
@@ -37,8 +37,15 @@ export default function OGMessageItemBody({
 }: Props): ReactElement {
   const imageRef = useRef<HTMLDivElement>(null);
   const { stringSet } = useContext(LocalizationContext);
+
   const openOGUrl = (): void => {
-    if (message?.ogMetaData?.url) window.open(message?.ogMetaData?.url);
+    let url = message?.ogMetaData?.url;
+    if (url) {
+      if (!url.startsWith('http://') && !url.startsWith('https://')) {
+        url = 'https://' + url;
+      }
+      window.open(url);
+    }
   };
   const isMessageMentioned = isMentionEnabled && message?.mentionedMessageTemplate?.length > 0 && message?.mentionedUsers?.length > 0;
   const tokens = useMemo(() => {
