From f54e18ca445659a3516bced8275718b04b6c17f0 Mon Sep 17 00:00:00 2001
From: Brezo Cordero <8002881+brezocordero@users.noreply.github.com>
Date: Fri, 14 Apr 2023 21:50:40 -0500
Subject: [PATCH] Escape values in Button block template

[MAILPOET-5235]
---
 mailpoet/assets/js/src/handlebars_helpers.js    | 17 +++++++++++++++++
 .../templates/blocks/button/block.hbs           |  2 +-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/mailpoet/assets/js/src/handlebars_helpers.js b/mailpoet/assets/js/src/handlebars_helpers.js
index 9290db9483..de221e5fb7 100644
--- a/mailpoet/assets/js/src/handlebars_helpers.js
+++ b/mailpoet/assets/js/src/handlebars_helpers.js
@@ -159,6 +159,23 @@ Handlebars.registerHelper('getNumber', function getNumberHelper(string) {
   return parseInt(string, 10);
 });
 
+Handlebars.registerHelper('escapeURL', function escapeURLHelper(url) {
+  if (!url) {
+    return '';
+  }
+
+  try {
+    const escapedURL = new URL(url);
+    // eslint-disable-next-line no-script-url
+    if (escapedURL.protocol === 'javascript:') {
+      return '';
+    }
+    return escapedURL.href;
+  } catch (e) {
+    return '';
+  }
+});
+
 Handlebars.registerHelper(
   'fontWithFallback',
   function fontWithFallbackHelper(font) {
diff --git a/mailpoet/views/newsletter/templates/blocks/button/block.hbs b/mailpoet/views/newsletter/templates/blocks/button/block.hbs
index 36cc1b2218..f8fcc3b209 100644
--- a/mailpoet/views/newsletter/templates/blocks/button/block.hbs
+++ b/mailpoet/views/newsletter/templates/blocks/button/block.hbs
@@ -1,5 +1,5 @@
 <div class="mailpoet_tools"></div>
 <div class="mailpoet_content">
-    <a href="{{ model.url }}" class="mailpoet_editor_button" style="{{#ifCond model.styles.block.textAlign '==' 'left'}}margin: 0 auto 0 0; {{/ifCond}}{{#ifCond model.styles.block.textAlign '==' 'center'}}margin: auto; {{/ifCond}}{{#ifCond model.styles.block.textAlign '==' 'right'}}margin: 0 0 0 auto; {{/ifCond}}line-height: {{ model.styles.block.lineHeight }}; width: {{ model.styles.block.width }}; background-color: {{ model.styles.block.backgroundColor }}; color: {{ model.styles.block.fontColor }}; font-family: {{fontWithFallback model.styles.block.fontFamily }}; font-size: {{ model.styles.block.fontSize }}; font-weight: {{ model.styles.block.fontWeight }}; border: {{ model.styles.block.borderWidth }} {{ model.styles.block.borderStyle }} {{ model.styles.block.borderColor }}; border-radius: {{ model.styles.block.borderRadius }};" onClick="return false;">{{ model.text }}</a>
+    <a href="{{escapeURL model.url}}" class="mailpoet_editor_button" style="{{#ifCond model.styles.block.textAlign '==' 'left'}}margin: 0 auto 0 0; {{/ifCond}}{{#ifCond model.styles.block.textAlign '==' 'center'}}margin: auto; {{/ifCond}}{{#ifCond model.styles.block.textAlign '==' 'right'}}margin: 0 0 0 auto; {{/ifCond}}line-height: {{ model.styles.block.lineHeight }}; width: {{ model.styles.block.width }}; background-color: {{ model.styles.block.backgroundColor }}; color: {{ model.styles.block.fontColor }}; font-family: {{fontWithFallback model.styles.block.fontFamily }}; font-size: {{ model.styles.block.fontSize }}; font-weight: {{ model.styles.block.fontWeight }}; border: {{ model.styles.block.borderWidth }} {{ model.styles.block.borderStyle }} {{ model.styles.block.borderColor }}; border-radius: {{ model.styles.block.borderRadius }};" onClick="return false;">{{ model.text }}</a>
 </div>
 <div class="mailpoet_block_highlight"></div>