Arsharth/hydrogen-web
1
0
Fork 0
forked from mystiq/hydrogen-web
Code Issues Pull requests Projects Releases Packages Wiki Activity

only allow links for the schemas mentioned in the spec

Browse source
This commit is contained in:
Bruno Windels 2021-07-16 18:32:40 +02:00
parent fe3bdda05a
commit b5b19abb24
1 changed files with 4 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
src/domain/session/room/timeline/deserialize.js
View file

@ -14,6 +14,7 @@ import { parsePillLink } from "./pills.js"
*/ */
const basicInline = ["EM", "STRONG", "CODE", "DEL", "SPAN" ]; const basicInline = ["EM", "STRONG", "CODE", "DEL", "SPAN" ];
const basicBlock = ["DIV", "BLOCKQUOTE"]; const basicBlock = ["DIV", "BLOCKQUOTE"];
const safeSchemas = ["https", "http", "ftp", "mailto", "magnet"].map(name => `${name}://`);
class Deserializer { class Deserializer {
constructor(result, mediaRepository) { constructor(result, mediaRepository) {
@ -23,9 +24,9 @@ class Deserializer {
parseLink(node, children) { parseLink(node, children) {
const href = this.result.getAttributeValue(node, "href"); const href = this.result.getAttributeValue(node, "href");
if (!href || !href.match(/^[a-z]+:[\/]{2}/i)) { const lcUrl = href?.toLowerCase();
// Invalid or missing URLs are not turned into links // urls should be absolute and with a safe schema, as listed in the spec
// We throw away relative links, too. if (!lcUrl || !safeSchemas.some(schema => lcUrl.startsWith(schema))) {
return new FormatPart("span", children); return new FormatPart("span", children);
} }
const pillData = parsePillLink(href); const pillData = parsePillLink(href);