fix(client): validate urls to improve security
This commit is contained in:
		| @@ -86,6 +86,7 @@ let tweetHeight = $ref(150); | ||||
| let unknownUrl = $ref(false); | ||||
|  | ||||
| const requestUrl = new URL(props.url); | ||||
| if (!['http:', 'https:'].includes(requestUrl.protocol)) throw new Error('invalid url'); | ||||
|  | ||||
| if (requestUrl.hostname === 'twitter.com' || requestUrl.hostname === 'mobile.twitter.com') { | ||||
| 	const m = requestUrl.pathname.match(/^\/.+\/status(?:es)?\/(\d+)/); | ||||
|   | ||||
| @@ -26,6 +26,7 @@ const props = defineProps<{ | ||||
| }>(); | ||||
|  | ||||
| const requestUrl = new URL(props.url); | ||||
| if (!['http:', 'https:'].includes(requestUrl.protocol)) throw new Error('invalid url'); | ||||
|  | ||||
| let fetching = $ref(true); | ||||
| let title = $ref<string | null>(null); | ||||
|   | ||||
| @@ -33,6 +33,7 @@ const props = defineProps<{ | ||||
|  | ||||
| const self = props.url.startsWith(local); | ||||
| const url = new URL(props.url); | ||||
| if (!['http:', 'https:'].includes(url.protocol)) throw new Error('invalid url'); | ||||
| const el = ref(); | ||||
|  | ||||
| useTooltip(el, (showing) => { | ||||
|   | ||||
| @@ -70,6 +70,7 @@ async function accept(): Promise<void> { | ||||
| 	state = 'accepted'; | ||||
| 	if (props.callback) { | ||||
| 		const cbUrl = new URL(props.callback); | ||||
| 		if (!['http:', 'https:'].includes(cbUrl.protocol)) throw new Error('invalid url'); | ||||
| 		cbUrl.searchParams.set('session', props.session); | ||||
| 		location.href = cbUrl.href; | ||||
| 	} | ||||
|   | ||||
		Reference in New Issue
	
	Block a user
	 syuilo
					syuilo