mirror of
https://git.joinsharkey.org/Sharkey/Sharkey.git
synced 2024-12-18 19:13:08 +02:00
fix(client): validate urls to improve security
This commit is contained in:
parent
572000f868
commit
788ae2f6ca
4 changed files with 4 additions and 0 deletions
|
@ -86,6 +86,7 @@ let tweetHeight = $ref(150);
|
||||||
let unknownUrl = $ref(false);
|
let unknownUrl = $ref(false);
|
||||||
|
|
||||||
const requestUrl = new URL(props.url);
|
const requestUrl = new URL(props.url);
|
||||||
|
if (!['http:', 'https:'].includes(requestUrl.protocol)) throw new Error('invalid url');
|
||||||
|
|
||||||
if (requestUrl.hostname === 'twitter.com' || requestUrl.hostname === 'mobile.twitter.com') {
|
if (requestUrl.hostname === 'twitter.com' || requestUrl.hostname === 'mobile.twitter.com') {
|
||||||
const m = requestUrl.pathname.match(/^\/.+\/status(?:es)?\/(\d+)/);
|
const m = requestUrl.pathname.match(/^\/.+\/status(?:es)?\/(\d+)/);
|
||||||
|
|
|
@ -26,6 +26,7 @@ const props = defineProps<{
|
||||||
}>();
|
}>();
|
||||||
|
|
||||||
const requestUrl = new URL(props.url);
|
const requestUrl = new URL(props.url);
|
||||||
|
if (!['http:', 'https:'].includes(requestUrl.protocol)) throw new Error('invalid url');
|
||||||
|
|
||||||
let fetching = $ref(true);
|
let fetching = $ref(true);
|
||||||
let title = $ref<string | null>(null);
|
let title = $ref<string | null>(null);
|
||||||
|
|
|
@ -33,6 +33,7 @@ const props = defineProps<{
|
||||||
|
|
||||||
const self = props.url.startsWith(local);
|
const self = props.url.startsWith(local);
|
||||||
const url = new URL(props.url);
|
const url = new URL(props.url);
|
||||||
|
if (!['http:', 'https:'].includes(url.protocol)) throw new Error('invalid url');
|
||||||
const el = ref();
|
const el = ref();
|
||||||
|
|
||||||
useTooltip(el, (showing) => {
|
useTooltip(el, (showing) => {
|
||||||
|
|
|
@ -70,6 +70,7 @@ async function accept(): Promise<void> {
|
||||||
state = 'accepted';
|
state = 'accepted';
|
||||||
if (props.callback) {
|
if (props.callback) {
|
||||||
const cbUrl = new URL(props.callback);
|
const cbUrl = new URL(props.callback);
|
||||||
|
if (!['http:', 'https:'].includes(cbUrl.protocol)) throw new Error('invalid url');
|
||||||
cbUrl.searchParams.set('session', props.session);
|
cbUrl.searchParams.set('session', props.session);
|
||||||
location.href = cbUrl.href;
|
location.href = cbUrl.href;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue