cswimr/revite
1
0
Fork 0
mirror of https://github.com/revoltchat/revite.git synced 2024-11-22 07:00:58 -05:00
Code Issues Projects Releases Packages Wiki Activity

fix: sanitise links passed to react-router

Browse source 
fix: flip protocol sanitisation to use a whitelist
This commit is contained in:
Paul Makles 2022-09-18 10:24:15 +01:00
parent 61a06c3f1a
commit 47bfaad508
1 changed files with 23 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
src/lib/links.ts
View file

@ -13,6 +13,27 @@ const ALLOWED_ORIGINS = [
"local.revolt.chat", "local.revolt.chat",
]; ];
const PROTOCOL_WHITELIST = [
"https",
"ftp",
"ftps",
"mailto",
"news",
"irc",
"gopher",
"nntp",
"feed",
"telnet",
"mms",
"rtsp",
"svn",
"git",
"tel",
"fax",
"xmpp",
"magnet",
];
export function determineLink(href?: string): LinkType { export function determineLink(href?: string): LinkType {
let internal, let internal,
url: URL | null = null; url: URL | null = null;
@ -22,13 +43,13 @@ export function determineLink(href?: string): LinkType {
url = new URL(href, location.href); url = new URL(href, location.href);
if (ALLOWED_ORIGINS.includes(url.hostname)) { if (ALLOWED_ORIGINS.includes(url.hostname)) {
const path = url.pathname; const path = url.pathname.replace(/[^A-z0-9/]/g, "");
return { type: "navigate", path }; return { type: "navigate", path };
} }
} catch (err) {} } catch (err) {}
if (!internal && url) { if (!internal && url) {
if (!url.protocol.startsWith("javascript")) { if (PROTOCOL_WHITELIST.includes(url.protocol)) {
return { type: "external", href, url }; return { type: "external", href, url };
} }
} }