mirror of
https://github.com/revoltchat/revite.git
synced 2024-11-09 16:53:36 -05:00
Explicitly deny bad URLs.
Fixes #252. Handle embed untrusted links better.
This commit is contained in:
Paul
parent
66289911ba
commit
81379d6ec4
5 changed files with 26 additions and 22 deletions
|
|
@ -1,5 +1,5 @@
|
|||
.embed {
|
||||
margin: .2em 0;
|
||||
margin: 0.2em 0;
|
||||
|
||||
iframe {
|
||||
border: none;
|
||||
|
|
@ -87,26 +87,30 @@
|
|||
.footer {
|
||||
font-size: 12px;
|
||||
}
|
||||
|
||||
|
||||
img.image {
|
||||
cursor: pointer;
|
||||
object-fit: contain;
|
||||
border-radius: var(--border-radius);
|
||||
}
|
||||
|
||||
a {
|
||||
cursor: pointer;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// TODO: unified actions css (see attachment.module.scss for other actions css)
|
||||
.actions {
|
||||
display: grid;
|
||||
grid-template:
|
||||
grid-template:
|
||||
"name open" auto
|
||||
"size open" auto
|
||||
/ minmax(20px, 1fr) min-content;
|
||||
|
||||
align-items: center;
|
||||
column-gap: 12px;
|
||||
|
||||
|
||||
width: 100%;
|
||||
padding: 8px;
|
||||
overflow: none;
|
||||
|
|
@ -119,7 +123,7 @@
|
|||
white-space: nowrap;
|
||||
overflow: hidden;
|
||||
}
|
||||
|
||||
|
||||
.filesize {
|
||||
grid-area: size;
|
||||
|
||||
|
|
|
|||
|
|
@ -111,14 +111,11 @@ export default function Embed({ embed }: Props) {
|
|||
{embed.title && (
|
||||
<span>
|
||||
<a
|
||||
onClick={(e) =>
|
||||
openLink(e.currentTarget.href) &&
|
||||
e.preventDefault()
|
||||
onMouseDown={(ev) =>
|
||||
(ev.button === 0 || ev.button === 1) &&
|
||||
openLink(embed.url)
|
||||
}
|
||||
href={embed.url}
|
||||
target={"_blank"}
|
||||
className={styles.title}
|
||||
rel="noreferrer">
|
||||
className={styles.title}>
|
||||
{embed.title}
|
||||
</a>
|
||||
</span>
|
||||
|
|
@ -159,9 +156,7 @@ export default function Embed({ embed }: Props) {
|
|||
frameBorder="0"
|
||||
loading="lazy"
|
||||
onClick={() => openScreen({ id: "image_viewer", embed })}
|
||||
onMouseDown={(ev) =>
|
||||
ev.button === 1 && window.open(embed.url, "_blank")
|
||||
}
|
||||
onMouseDown={(ev) => ev.button === 1 && openLink(embed.url)}
|
||||
/>
|
||||
);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -151,11 +151,9 @@ export default function Intermediate(props: Props) {
|
|||
id: "external_link_prompt",
|
||||
link: link.href,
|
||||
});
|
||||
|
||||
return true;
|
||||
} else {
|
||||
window.open(link.href, "_blank", "noreferrer");
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -4,12 +4,16 @@ import { dispatch } from "../../../redux";
|
|||
|
||||
import Modal from "../../../components/ui/Modal";
|
||||
|
||||
import { useIntermediate } from "../Intermediate";
|
||||
|
||||
interface Props {
|
||||
onClose: () => void;
|
||||
link: string;
|
||||
}
|
||||
|
||||
export function ExternalLinkModal({ onClose, link }: Props) {
|
||||
const { openLink } = useIntermediate();
|
||||
|
||||
return (
|
||||
<Modal
|
||||
visible={true}
|
||||
|
|
@ -18,7 +22,7 @@ export function ExternalLinkModal({ onClose, link }: Props) {
|
|||
actions={[
|
||||
{
|
||||
onClick: () => {
|
||||
window.open(link, "_blank", "noreferrer");
|
||||
openLink(link);
|
||||
onClose();
|
||||
},
|
||||
confirmation: true,
|
||||
|
|
@ -40,7 +44,8 @@ export function ExternalLinkModal({ onClose, link }: Props) {
|
|||
domain: url.hostname,
|
||||
});
|
||||
} catch (e) {}
|
||||
window.open(link, "_blank", "noreferrer");
|
||||
|
||||
openLink(link);
|
||||
onClose();
|
||||
},
|
||||
plain: true,
|
||||
|
|
|
|||
|
|
@ -52,7 +52,9 @@ export function determineLink(href?: string): LinkType {
|
|||
} catch (err) {}
|
||||
|
||||
if (!internal && url) {
|
||||
return { type: "external", href, url };
|
||||
if (url.protocol !== "javascript") {
|
||||
return { type: "external", href, url };
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue