diff --git a/apps/block_scout_web/lib/block_scout_web/templates/tokens/instance/overview/_details.html.eex b/apps/block_scout_web/lib/block_scout_web/templates/tokens/instance/overview/_details.html.eex
index bcb1734091f0..ecf98e0c96f6 100644
--- a/apps/block_scout_web/lib/block_scout_web/templates/tokens/instance/overview/_details.html.eex
+++ b/apps/block_scout_web/lib/block_scout_web/templates/tokens/instance/overview/_details.html.eex
@@ -41,7 +41,7 @@
<%= if external_url(@token_instance.instance) do %>
- target="_blank">
+ target="_blank">
View In App <%= render BlockScoutWeb.IconsView, "_external_link.html" %>
diff --git a/apps/block_scout_web/lib/block_scout_web/views/tokens/instance/overview_view.ex b/apps/block_scout_web/lib/block_scout_web/views/tokens/instance/overview_view.ex
index 1c0c748dc415..ba62117bd6a3 100644
--- a/apps/block_scout_web/lib/block_scout_web/views/tokens/instance/overview_view.ex
+++ b/apps/block_scout_web/lib/block_scout_web/views/tokens/instance/overview_view.ex
@@ -102,10 +102,14 @@ defmodule BlockScoutWeb.Tokens.Instance.OverviewView do
def external_url(nil), do: nil
+ def external_url("http" <> _rest = external_url), do: external_url
+
+ def external_url(string) when is_binary(string), do: external_url(nil)
+
def external_url(instance) do
result =
if instance.metadata && instance.metadata["external_url"] do
- instance.metadata["external_url"]
+ instance.metadata["external_url"] |> external_url()
else
external_url(nil)
end
diff --git a/apps/block_scout_web/priv/gettext/default.pot b/apps/block_scout_web/priv/gettext/default.pot
index f12a4b53c4c9..268b33cd9b34 100644
--- a/apps/block_scout_web/priv/gettext/default.pot
+++ b/apps/block_scout_web/priv/gettext/default.pot
@@ -1642,7 +1642,7 @@ msgstr ""
#: lib/block_scout_web/templates/tokens/instance/metadata/index.html.eex:18
#: lib/block_scout_web/templates/tokens/instance/overview/_tabs.html.eex:10
-#: lib/block_scout_web/views/tokens/instance/overview_view.ex:198
+#: lib/block_scout_web/views/tokens/instance/overview_view.ex:202
#, elixir-autogen, elixir-format
msgid "Metadata"
msgstr ""
@@ -2659,7 +2659,7 @@ msgstr ""
#: lib/block_scout_web/templates/transaction/_tabs.html.eex:4
#: lib/block_scout_web/templates/transaction_token_transfer/index.html.eex:7
#: lib/block_scout_web/views/address_view.ex:434
-#: lib/block_scout_web/views/tokens/instance/overview_view.ex:197
+#: lib/block_scout_web/views/tokens/instance/overview_view.ex:201
#: lib/block_scout_web/views/tokens/overview_view.ex:39
#: lib/block_scout_web/views/transaction_view.ex:526
#, elixir-autogen, elixir-format
diff --git a/apps/block_scout_web/priv/gettext/en/LC_MESSAGES/default.po b/apps/block_scout_web/priv/gettext/en/LC_MESSAGES/default.po
index d7f10ff53419..248cea3a41a9 100644
--- a/apps/block_scout_web/priv/gettext/en/LC_MESSAGES/default.po
+++ b/apps/block_scout_web/priv/gettext/en/LC_MESSAGES/default.po
@@ -1642,7 +1642,7 @@ msgstr ""
#: lib/block_scout_web/templates/tokens/instance/metadata/index.html.eex:18
#: lib/block_scout_web/templates/tokens/instance/overview/_tabs.html.eex:10
-#: lib/block_scout_web/views/tokens/instance/overview_view.ex:198
+#: lib/block_scout_web/views/tokens/instance/overview_view.ex:202
#, elixir-autogen, elixir-format
msgid "Metadata"
msgstr ""
@@ -2659,7 +2659,7 @@ msgstr ""
#: lib/block_scout_web/templates/transaction/_tabs.html.eex:4
#: lib/block_scout_web/templates/transaction_token_transfer/index.html.eex:7
#: lib/block_scout_web/views/address_view.ex:434
-#: lib/block_scout_web/views/tokens/instance/overview_view.ex:197
+#: lib/block_scout_web/views/tokens/instance/overview_view.ex:201
#: lib/block_scout_web/views/tokens/overview_view.ex:39
#: lib/block_scout_web/views/transaction_view.ex:526
#, elixir-autogen, elixir-format
diff --git a/apps/block_scout_web/test/block_scout_web/views/tokens/instance/overview_view_test.exs b/apps/block_scout_web/test/block_scout_web/views/tokens/instance/overview_view_test.exs
index ec01e6a2070b..37d0417cf88c 100644
--- a/apps/block_scout_web/test/block_scout_web/views/tokens/instance/overview_view_test.exs
+++ b/apps/block_scout_web/test/block_scout_web/views/tokens/instance/overview_view_test.exs
@@ -119,4 +119,40 @@ defmodule BlockScoutWeb.Tokens.Instance.OverviewViewTest do
"https://assets.cargo.build/611a883b0d039100261bfe79/b89cf189-13e9-47ed-b801-a1f6aa15a7bf/a0784ea0-45be-41cd-9cdd-cc40ad20f20d-zombiepngpng.png"
end
end
+
+ describe "external_url/1" do
+ test "does not return invalid url scheme" do
+ json = """
+ {
+ "name": "CELO XSS",
+ "image": "https://0-a.nl/nft/nft.jpg",
+ "description": "CELO XSS",
+ "external_url": "javascript:eval(atob('YWxlcnQoIndoYXRzdXAgaXQncyB5YSBib3l5Iik'))"
+ }
+ """
+
+ data = Jason.decode!(json)
+
+ result = OverviewView.external_url(%{metadata: data})
+
+ assert result == nil, "non http url schemes should be stripped from external_url and treated as missing"
+ end
+
+ test "Returns valid uri scheme" do
+ json = """
+ {
+ "name": "CELO NFT test",
+ "image": "https://0-a.nl/nft/nft.jpg",
+ "description": "CELO NFT test",
+ "external_url": "https://happyland.nft"
+ }
+ """
+
+ data = Jason.decode!(json)
+
+ result = OverviewView.external_url(%{metadata: data})
+
+ assert String.starts_with?(result, "http"), "Valid url should be returned"
+ end
+ end
end