ui: add limitation for href

packages/ui-default/backendlib/markdown-it-xss.ts

@@ -1,9 +1,9 @@
-import * as Xss from 'xss';
+import { FilterXSS } from 'xss';
 
 const stack = [];
 const voidTags = ['br', 'hr', 'input', 'img', 'link', 'source', 'col', 'area', 'base', 'meta', 'embed', 'param', 'track', 'wbr'];
 
-const tagCheck = new Xss.FilterXSS({
+const tagCheck = new FilterXSS({
   css: false,
   whiteList: {},
   onIgnoreTag(tag, html, options) {
@@ -32,7 +32,7 @@ const tagCheck = new Xss.FilterXSS({
   },
 });
 
-export const xss = new Xss.FilterXSS({
+export const xss = new FilterXSS({
   whiteList: {
     a: ['target', 'href', 'title'],
     abbr: ['title'],
@@ -113,6 +113,7 @@ export const xss = new Xss.FilterXSS({
   safeAttrValue(tag, name, value) {
     if (name === 'id') return `xss-id-${value}`;
     if (name === 'class') return value.replace(/badge/g, 'xss-badge');
+    if (name === 'href') return value.trim().startsWith('javascript:') ? '#' : value;
     return value;
   },
 });