Skip to main content

safeHref

URL scheme allowlist for :href bindings against user-controlled data.

Components that bind URLs coming from a backend (a register row, a manifest field, anything outside the developer's direct control) need to validate the scheme before rendering. Without it, a malicious value of javascript:alert(1) or data:text/html,<script>...</script> executes code when the user clicks the link.

safeHref(url) returns the URL when its scheme is safe (https: / http: / mailto:) or it is a same-origin root-relative path (/path/...). Every other input — including javascript:, data:, vbscript:, protocol-relative //attacker.com, malformed URLs, and null / undefined — collapses to '#'.

Parameters

NameTypeDescription
urlstring | null | undefinedThe URL to validate.

Usage

import { safeHref } from '@conduction/nextcloud-vue'

safeHref('https://example.com') // → 'https://example.com'
safeHref('/apps/files') // → '/apps/files'
safeHref('mailto:[email protected]') // → 'mailto:[email protected]'
safeHref('javascript:alert(1)') // → '#'
safeHref('data:text/html,<h1>x</h1>') // → '#'
safeHref('//attacker.com/x') // → '#'
safeHref(null) // → '#'

Companion utilities for image and SVG bindings:

  • safeImageSrc:src allowlist for <img> bindings (HTTPS / HTTP / inline data:image/* only).
  • safeSvgPath:d allowlist for <path> bindings.