From 83752ef96a24ed4ded201556ebd47e032d4c3b4c Mon Sep 17 00:00:00 2001 From: AllenDing Date: Wed, 14 Feb 2024 12:27:23 -0600 Subject: [PATCH] add label processing before regex comparisons --- web/src/app/util/safeURL.ts | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/web/src/app/util/safeURL.ts b/web/src/app/util/safeURL.ts index 85974101b8..7cf324eb53 100644 --- a/web/src/app/util/safeURL.ts +++ b/web/src/app/util/safeURL.ts @@ -1,7 +1,23 @@ +// decodeHtmlEntites will decode common HTML entities in a string. +// +// This is useful for ensuring that any encoded characters in the text are converted +// back to their original form for comparision. +function decodeHtmlEntites(text: string): string { + return text + .replace(/&/g, '&') + .replace(/</g, '<') + .replace(/>/g, '>') + .replace(/"/g, '"') + .replace(/'/g, "'") +} + // safeURL will determine if a url is safe for linking. // // It tries to determine if the label is misleading. export function safeURL(url: string, label: string): boolean { + url = decodeHtmlEntites(url) + label = decodeHtmlEntites(label) + if (url.startsWith('mailto:')) { const email = url.substr(7) return email === label && email.includes('@') @@ -14,7 +30,7 @@ export function safeURL(url: string, label: string): boolean { // handle http protocols if (!/https?:\/\//.test(url)) return false // require absolute URLs - if (!/[./]/.test(label)) return true // don't consider it a path/url without slashes or periods + if (!/[./]/.test(url)) return true // don't consider it a path/url without slashes or periods if (url.startsWith(label)) return true // if it matches the beginning, then it's fine if (url.replace(/^https?:\/\//, '').startsWith(label)) return true // same prefix without protocol if (url.replace(/^https?:\/\//, '').startsWith('www.' + label)) return true // same prefix without protocol