From b5b19abb240b8c885b7e0831ef60fab783ee08c2 Mon Sep 17 00:00:00 2001
From: Bruno Windels <bruno@windels.cloud>
Date: Fri, 16 Jul 2021 18:32:40 +0200
Subject: [PATCH] only allow links for the schemas mentioned in the spec

---
 src/domain/session/room/timeline/deserialize.js | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/domain/session/room/timeline/deserialize.js b/src/domain/session/room/timeline/deserialize.js
index 53c1291c..d477853d 100644
--- a/src/domain/session/room/timeline/deserialize.js
+++ b/src/domain/session/room/timeline/deserialize.js
@@ -14,6 +14,7 @@ import { parsePillLink } from "./pills.js"
  */
 const basicInline = ["EM", "STRONG", "CODE", "DEL", "SPAN" ];
 const basicBlock = ["DIV", "BLOCKQUOTE"];
+const safeSchemas = ["https", "http", "ftp", "mailto", "magnet"].map(name => `${name}://`);
 
 class Deserializer {
     constructor(result, mediaRepository) {
@@ -23,9 +24,9 @@ class Deserializer {
 
     parseLink(node, children) {
         const href = this.result.getAttributeValue(node, "href");
-        if (!href || !href.match(/^[a-z]+:[\/]{2}/i)) {
-            // Invalid or missing URLs are not turned into links
-            // We throw away relative links, too.
+        const lcUrl = href?.toLowerCase();
+        // urls should be absolute and with a safe schema, as listed in the spec
+        if (!lcUrl || !safeSchemas.some(schema => lcUrl.startsWith(schema))) {
             return new FormatPart("span", children);
         }
         const pillData = parsePillLink(href);