OpenSource/Sharkey
OpenSource/Sharkey
1
0
Fork 0
mirror of https://activitypub.software/TransFem-org/Sharkey.git synced 2025-01-09 23:29:43 +01:00
Code Issues Projects Releases Packages Wiki Activity

use the whole hostname to check remote links - fixes #866

Browse source 
the warning dialog's "trust this domain" toggle saves the whole
hostname, so this code needs to use the whole hostname

otherwise trusting a `www.example.com` will never work, because we'd
be checking `example.com` against it, and fail

while I was there, I also made the `trustedLinkUrlPatterns` correctly
match sub-domains: previously, trusting `ple.com` would trust
`example.com`
This commit is contained in:
dakkar 2025-01-02 10:03:16 +00:00
parent 565c987744
commit ac0c6841aa
1 changed files with 15 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
packages/frontend/src/scripts/warning-external-website.ts
View file

@ -8,13 +8,21 @@ import { defaultStore } from '@/store.js';
import * as os from '@/os.js';
import MkUrlWarningDialog from '@/components/MkUrlWarningDialog.vue';
const extractDomain = /^(https?:\/\/|\/\/)?([^@/\s]+@)?(www\.)?([^:/\s]+)/i;
const isRegExp = /^\/(.+)\/(.*)$/;
export async function warningExternalWebsite(url: string) {
const domain = extractDomain.exec(url)?.[4];
function extractHostname(maybeUrl: string): URL | null {
try {
const url = new URL(maybeUrl);
return url.host;
} catch {
return null;
}
}
if (!domain) return false;
export async function warningExternalWebsite(url: string) {
const hostname = extractHostname(url);
if (!hostname) return false;
const isTrustedByInstance = instance.trustedLinkUrlPatterns.some(expression => {
const r = isRegExp.exec(expression);
@ -24,11 +32,11 @@ export async function warningExternalWebsite(url: string) {
} else if (expression.includes(' ')) {
return expression.split(' ').every(keyword => url.includes(keyword));
} else {
return domain.endsWith(expression);
return `.${hostname}`.endsWith(`.${expression}`);
}
});
const isTrustedByUser = defaultStore.reactiveState.trustedDomains.value.includes(domain);
const isTrustedByUser = defaultStore.reactiveState.trustedDomains.value.includes(hostname);
const isDisabledByUser = !defaultStore.reactiveState.warnExternalUrl.value;
if (!isTrustedByInstance && !isTrustedByUser && !isDisabledByUser) {
@ -44,7 +52,7 @@ export async function warningExternalWebsite(url: string) {
});
if (confirm.canceled) return false;
return window.open(url, '_blank', 'nofollow noopener popup=false');
}