diff --git a/src/library/zoid/message/component.js b/src/library/zoid/message/component.js index ac0aa21b5f..bdf8041d07 100644 --- a/src/library/zoid/message/component.js +++ b/src/library/zoid/message/component.js @@ -144,7 +144,9 @@ export default createGlobalVariableGetter('__paypal_credit_message__', () => const { modal, index, account, merchantId, currency, amount, buyerCountry, onApply } = props; const { offerType, offerCountry, messageRequestId, lander } = meta; if (offerType === 'PURCHASE_PROTECTION') { - getURIPopup(lander, offerType); + if (getURIPopup(lander, offerType) == null) { + logger.warn('Blocked unsafe lander URL', { lander }); + } } else { // Avoid spreading message props because both message and modal // zoid components have an onClick prop that functions differently diff --git a/src/utils/sdk.js b/src/utils/sdk.js index 4f798167c3..1fa0349d97 100644 --- a/src/utils/sdk.js +++ b/src/utils/sdk.js @@ -1,6 +1,5 @@ /* eslint-disable eslint-comments/disable-enable-pair, no-else-return */ import arrayFrom from 'core-js-pure/stable/array/from'; - import { getStorage as getBelterStorage } from '@krakenjs/belter/src'; import { SDK_QUERY_KEYS, SDK_SETTINGS } from '@paypal/sdk-constants/src'; import { @@ -22,7 +21,6 @@ import { getDisableSetCookie as getSDKDisableCookie, getPageType as getSDKPageType } from '@paypal/sdk-client/src'; - import { TAG } from './constants'; export function getDisableSetCookie() { @@ -275,5 +273,18 @@ export function getFeatures(featureProps) { // open mini-browser with message lander url export function getURIPopup(lander, label) { - return window.open(lander, label, 'width=460,height=900'); + try { + // eslint-disable-next-line compat/compat + const parsed = new URL(lander); + const isHttp = parsed.protocol === 'https:'; + const isPayPalDomain = /\.paypal\.com$/i.test(parsed.hostname); + + if (isHttp && isPayPalDomain) { + return window.open(lander, label, 'width=460,height=900'); + } else { + return null; + } + } catch (e) { + return null; + } }