oscar-surf/misskey
oscar-surf/misskey
0
0
Fork 0
Code Issues Activity

Merge commit from fork

Browse source 
(cherry picked from commit d10fdfe9738b17a9d81037c031b40a2cc4cb8038)

* SP-2025-03.1 always wrap icon&thumbnail URLs

if they're not HTTP URLs, the frontend won't be able to display them
anyway (`<img src="mailto:…">` or '<div stile="background-image:
url(nntp:…)">` aren't going to work!), so let's always run them through the
media proxy, which will fail harder (fetching a `javascript:` URL
won't do anything in the backend, might do something in the frontend)
and will always protect the client's address in cases like `gemini:`
where the browser could try to fetch

* SP-2025-03.2 use object binding for more styles

interpolating a random (remote-controlled!) string into a `style`
attribute is a bad idea; using VueJS object binding, we should get
proper quoting and therefore safe parse failures instead of CSS
injections / XSS

* SP-2025-03.3 slightly more robust "self" URL handling

parse URLs instead of treating them as strings; this is still not
perfect, but the `URL` class only handles full URLs, not relative
ones, so there's so way to ask it "give me a URL object that
represents this resource relative to this base URL"

notice that passing very weird URLs to `MkUrl` and `MkUrlPreview` will
break the frontend (in dev mode) because there's an untrapped `new
URL(…)` that may explode; production builds seem to safely ignore the
error, though

---------

Co-authored-by: Julia <julia@insertdomain.name>
Co-authored-by: dakkar <dakkar@thenautilus.net>
This commit is contained in:
あわわわとーにゅ 2025-05-01 21:21:36 +09:00
parent 969c5e3d39
commit 695bbf02ca
No known key found for this signature in database
GPG key ID: 6AFBBF529601C1DB
10 changed files with 38 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

8
packages/frontend/src/components/global/MkUrl.vue
View file

@ -9,7 +9,7 @@ SPDX-License-Identifier: AGPL-3.0-only
ref="el"
:class="$style.root"
class="_link"
:[attr]="self ? props.url.substring(local.length) : props.url"
:[attr]="maybeRelativeUrl"
:rel="rel ?? 'nofollow noopener'"
:target="target"
:behavior="props.navigationBehavior"
@ -40,7 +40,8 @@ import { useTooltip } from '@/scripts/use-tooltip.js';
import { safeURIDecode } from '@/scripts/safe-uri-decode.js';
import { warningExternalWebsite } from '@/scripts/warning-external-website.js';
import { isEnabledUrlPreview } from '@/instance.js';
import { MkABehavior } from '@/components/global/MkA.vue';
import type { MkABehavior } from '@/components/global/MkA.vue';
import { maybeMakeRelative } from '@/scripts/url.js';
const props = withDefaults(defineProps<{
url: string;
@ -51,7 +52,8 @@ const props = withDefaults(defineProps<{
showUrlPreview: true,
});
const self = props.url.startsWith(local);
const maybeRelativeUrl = maybeMakeRelative(props.url, local);
const self = maybeRelativeUrl !== props.url;
const url = new URL(props.url);
if (!['http:', 'https:'].includes(url.protocol)) throw new Error('invalid url');
const el = ref();