oscar-surf/misskey
oscar-surf/misskey
0
0
Fork 0
Code Issues Activity

fix(client): validate url to improve security

Browse source
This commit is contained in:
syuilo 2023-02-09 18:01:12 +09:00
parent 6641b13b4c
commit 70fe23a3ce
2 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
packages/frontend/src/pages/miauth.vue
View file

@ -70,7 +70,7 @@ async function accept(): Promise<void> {
state = 'accepted';
if (props.callback) {
const cbUrl = new URL(props.callback);
if (!['http:', 'https:'].includes(cbUrl.protocol)) throw new Error('invalid url');
if (['javascript:', 'file:', 'data:', 'mailto:', 'tel:'].includes(cbUrl.protocol)) throw new Error('invalid url');
cbUrl.searchParams.set('session', props.session);
location.href = cbUrl.href;
}