Explicitly deny bad URLs.

Fixes #252.
Handle embed untrusted links better.
This commit is contained in:
Paul 2021-09-25 10:54:32 +01:00
parent 66289911ba
commit 81379d6ec4
5 changed files with 26 additions and 22 deletions

View file

@ -1,5 +1,5 @@
.embed {
margin: .2em 0;
margin: 0.2em 0;
iframe {
border: none;
@ -93,6 +93,10 @@
object-fit: contain;
border-radius: var(--border-radius);
}
a {
cursor: pointer;
}
}
}

View file

@ -111,14 +111,11 @@ export default function Embed({ embed }: Props) {
{embed.title && (
<span>
<a
onClick={(e) =>
openLink(e.currentTarget.href) &&
e.preventDefault()
onMouseDown={(ev) =>
(ev.button === 0 || ev.button === 1) &&
openLink(embed.url)
}
href={embed.url}
target={"_blank"}
className={styles.title}
rel="noreferrer">
className={styles.title}>
{embed.title}
</a>
</span>
@ -159,9 +156,7 @@ export default function Embed({ embed }: Props) {
frameBorder="0"
loading="lazy"
onClick={() => openScreen({ id: "image_viewer", embed })}
onMouseDown={(ev) =>
ev.button === 1 && window.open(embed.url, "_blank")
}
onMouseDown={(ev) => ev.button === 1 && openLink(embed.url)}
/>
);
}

View file

@ -151,11 +151,9 @@ export default function Intermediate(props: Props) {
id: "external_link_prompt",
link: link.href,
});
return true;
} else {
window.open(link.href, "_blank", "noreferrer");
}
return false;
}
}

View file

@ -4,12 +4,16 @@ import { dispatch } from "../../../redux";
import Modal from "../../../components/ui/Modal";
import { useIntermediate } from "../Intermediate";
interface Props {
onClose: () => void;
link: string;
}
export function ExternalLinkModal({ onClose, link }: Props) {
const { openLink } = useIntermediate();
return (
<Modal
visible={true}
@ -18,7 +22,7 @@ export function ExternalLinkModal({ onClose, link }: Props) {
actions={[
{
onClick: () => {
window.open(link, "_blank", "noreferrer");
openLink(link);
onClose();
},
confirmation: true,
@ -40,7 +44,8 @@ export function ExternalLinkModal({ onClose, link }: Props) {
domain: url.hostname,
});
} catch (e) {}
window.open(link, "_blank", "noreferrer");
openLink(link);
onClose();
},
plain: true,

View file

@ -52,7 +52,9 @@ export function determineLink(href?: string): LinkType {
} catch (err) {}
if (!internal && url) {
return { type: "external", href, url };
if (url.protocol !== "javascript") {
return { type: "external", href, url };
}
}
}