oscar-surf/misskey
oscar-surf/misskey
0
0
Fork 0
Code Issues Activity
misskey/packages/frontend/src/scripts/url.ts
あわわわとーにゅ 695bbf02ca
Merge commit from fork 
(cherry picked from commit d10fdfe9738b17a9d81037c031b40a2cc4cb8038)

* SP-2025-03.1 always wrap icon&thumbnail URLs

if they're not HTTP URLs, the frontend won't be able to display them
anyway (`<img src="mailto:…">` or '<div stile="background-image:
url(nntp:…)">` aren't going to work!), so let's always run them through the
media proxy, which will fail harder (fetching a `javascript:` URL
won't do anything in the backend, might do something in the frontend)
and will always protect the client's address in cases like `gemini:`
where the browser could try to fetch

* SP-2025-03.2 use object binding for more styles

interpolating a random (remote-controlled!) string into a `style`
attribute is a bad idea; using VueJS object binding, we should get
proper quoting and therefore safe parse failures instead of CSS
injections / XSS

* SP-2025-03.3 slightly more robust "self" URL handling

parse URLs instead of treating them as strings; this is still not
perfect, but the `URL` class only handles full URLs, not relative
ones, so there's so way to ask it "give me a URL object that
represents this resource relative to this base URL"

notice that passing very weird URLs to `MkUrl` and `MkUrlPreview` will
break the frontend (in dev mode) because there's an untrapped `new
URL(…)` that may explode; production builds seem to safely ignore the
error, though

---------

Co-authored-by: Julia <julia@insertdomain.name>
Co-authored-by: dakkar <dakkar@thenautilus.net>
2025-05-01 21:29:39 +09:00

46 lines
1.5 KiB
TypeScript
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*
* SPDX-FileCopyrightText: syuilo and misskey-project
* SPDX-License-Identifier: AGPL-3.0-only
*/
/* objを検査して
* 1. 配列に何も入っていない時はクエリを付けない
* 2. プロパティがundefinedの時はクエリを付けない
* new URLSearchParams(obj)ではそこまで丁寧なことをしてくれない)
*/
export function query(obj: Record<string, unknown>): string {
const params = Object.entries(obj)
.filter(([, v]) => Array.isArray(v) ? v.length : v !== undefined)
.reduce((a, [k, v]) => (a[k] = v, a), {} as Record<string, any>);
return Object.entries(params)
.map((p) => `${p[0]}=${encodeURIComponent(p[1])}`)
.join('&');
}
export function appendQuery(url: string, query: string): string {
return `${url}${/\?/.test(url) ? url.endsWith('?') ? '' : '&' : '?'}${query}`;
}
export function omitHttps(url: string): string {
if (url.startsWith('https://')) return url.slice(8);
if (url.startsWith('https%3A%2F%2F')) return url.slice(14);
return url;
}
export function maybeMakeRelative(urlStr: string, baseStr: string): string {
try {
const baseObj = new URL(baseStr);
const urlObj = new URL(urlStr);
/* in all places where maybeMakeRelative is used, baseStr is the
* instance's public URL, which can't have path components, so the
* relative URL will always have the whole path from the urlStr
*/
if (urlObj.origin === baseObj.origin) {
return urlObj.pathname + urlObj.search + urlObj.hash;
}
return urlStr;
} catch (e) {
return '';
}
}
Reference in a new issue View git blame Copy permalink