diff --git a/web/src/app/util/safeURL.ts b/web/src/app/util/safeURL.ts index 85974101b8..7cf324eb53 100644 --- a/web/src/app/util/safeURL.ts +++ b/web/src/app/util/safeURL.ts @@ -1,7 +1,23 @@ +// decodeHtmlEntites will decode common HTML entities in a string. +// +// This is useful for ensuring that any encoded characters in the text are converted +// back to their original form for comparision. +function decodeHtmlEntites(text: string): string { + return text + .replace(/&/g, '&') + .replace(/</g, '<') + .replace(/>/g, '>') + .replace(/"/g, '"') + .replace(/'/g, "'") +} + // safeURL will determine if a url is safe for linking. // // It tries to determine if the label is misleading. export function safeURL(url: string, label: string): boolean { + url = decodeHtmlEntites(url) + label = decodeHtmlEntites(label) + if (url.startsWith('mailto:')) { const email = url.substr(7) return email === label && email.includes('@') @@ -14,7 +30,7 @@ export function safeURL(url: string, label: string): boolean { // handle http protocols if (!/https?:\/\//.test(url)) return false // require absolute URLs - if (!/[./]/.test(label)) return true // don't consider it a path/url without slashes or periods + if (!/[./]/.test(url)) return true // don't consider it a path/url without slashes or periods if (url.startsWith(label)) return true // if it matches the beginning, then it's fine if (url.replace(/^https?:\/\//, '').startsWith(label)) return true // same prefix without protocol if (url.replace(/^https?:\/\//, '').startsWith('www.' + label)) return true // same prefix without protocol