fix(client): validate url to improve security

2023-02-09 18:01:12 +09:00 · 2023-02-09 18:01:12 +09:00 · 70fe23a3ce
commit 70fe23a3ce
parent 6641b13b4c
2 changed files with 3 additions and 1 deletions
--- a/packages/frontend/src/pages/auth.vue
+++ b/packages/frontend/src/pages/auth.vue
@ -77,6 +77,8 @@ export default defineComponent({
 		accepted() {
 			this.state = 'accepted';
 			if (this.session.app.callbackUrl) {
+				const url = new URL(this.session.app.callbackUrl);
+				if (['javascript:', 'file:', 'data:', 'mailto:', 'tel:'].includes(url.protocol)) throw new Error('invalid url');
 				location.href = `${this.session.app.callbackUrl}?token=${this.session.token}`;
 			}
 		}, onLogin(res) {