playground: avoid XSS via external download url

Although this is the playground, avoid allowing arbitrary data to be set in an HTML element. These days we can use `URL()` to parse the hostname/port/pathname.
cockpit-project · Jun 20, 2023 · 1d03e7d · 1d03e7d
1 parent 934a4e3
commit 1d03e7d
Showing 1 changed file with 4 additions and 5 deletions.
diff --git a/pkg/playground/speed.js b/pkg/playground/speed.js
@@ -176,12 +176,11 @@ function download(ev) {
 
     /* Allow use of HTTP URLs */
     if (path.value.indexOf("http") === 0) {
-        const anchor = document.createElement("a");
-        anchor.href = path.value;
+        const url = new URL(path.value);
         options.payload = "http-stream2";
-        options.address = anchor.hostname;
-        options.port = parseInt(anchor.port, 10);
-        options.path = anchor.pathname;
+        options.address = url.hostname;
+        options.port = parseInt(url.port, 10);
+        options.path = url.pathname;
         options.method = "GET";
     } else {
         options.payload = "fsread1";