From 89fa546a1481e56d14cfc4d666a55482b0c85fd1 Mon Sep 17 00:00:00 2001
From: Darek <x64x6a@users.noreply.github.com>
Date: Fri, 21 Apr 2023 12:08:04 -0700
Subject: [PATCH] Merge pull request from GHSA-92x4-vfjf-rmf7

---
 netbox/extras/models/models.py | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/netbox/extras/models/models.py b/netbox/extras/models/models.py
index 3cab6154d1e..718cba5c12d 100644
--- a/netbox/extras/models/models.py
+++ b/netbox/extras/models/models.py
@@ -1,4 +1,5 @@
 import json
+import urllib.parse
 import uuid
 
 from django.conf import settings
@@ -28,7 +29,7 @@
     CloningMixin, CustomFieldsMixin, CustomLinksMixin, ExportTemplatesMixin, JobResultsMixin, TagsMixin, WebhooksMixin,
 )
 from utilities.querysets import RestrictedQuerySet
-from utilities.utils import render_jinja2
+from utilities.utils import clean_html, render_jinja2
 
 __all__ = (
     'ConfigRevision',
@@ -273,6 +274,18 @@ def render(self, context):
         link = render_jinja2(self.link_url, context)
         link_target = ' target="_blank"' if self.new_window else ''
 
+        # Sanitize link text
+        allowed_schemes = get_config().ALLOWED_URL_SCHEMES
+        text = clean_html(text, allowed_schemes)
+
+        # Sanitize link
+        link = urllib.parse.quote_plus(link, safe='/:?&')
+
+        # Verify link scheme is allowed
+        result = urllib.parse.urlparse(link)
+        if result.scheme and result.scheme not in allowed_schemes:
+            link = ""
+
         return {
             'text': text,
             'link': link,