Updated the process_anchors.js file to remove vulnerability when dete…

…rmining if a link is internal or external.
GSA · Dec 3, 2024 · b60b5c6 · b60b5c6
1 parent 87cd69e
commit b60b5c6
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/src/plugins/process_anchors.js b/src/plugins/process_anchors.js
@@ -17,8 +17,11 @@ import path from 'path'
 function isInternalDomain(url) {
   try {
     const domain = new URL(url)
-
-    return domain.hostname === 'gsa.gov' || domain.hostname === 'www.gsa.gov'|| domain.protocol === 'mailto:'
+    const internalHost = [
+      'gsa.gov',
+      'www.gsa.gov' 
+    ]
+    return internalHost.includes(domain.hostname) || domain.protocol === 'mailto:'
   } catch(e) {
     // this represents urls like "/some/path" without domain
     return true