fix(frontend): 外部URLへのリダイレクトのバリデーションを強化 (#14919)
* Fix code scanning alert no. 25: Incomplete URL scheme check (MisskeyIO#799)
* Fix code scanning alert no. 26: Incomplete URL scheme check
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Fix code scanning alert no. 25: Incomplete URL scheme check
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---------
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
(cherry picked from commit 7d7552e076c0152a5966e919be0e9a60b3736208)
* ✌️
---------
Co-authored-by: あわわわとーにゅ <17376330+u1-liquid@users.noreply.github.com>
This commit is contained in:
parent
98b4717c45
commit
5b60ae810b
@ -62,7 +62,7 @@ function accepted() {
|
||||
state.value = 'accepted';
|
||||
if (session.value && session.value.app.callbackUrl) {
|
||||
const url = new URL(session.value.app.callbackUrl);
|
||||
if (['javascript:', 'file:', 'data:', 'mailto:', 'tel:'].includes(url.protocol)) throw new Error('invalid url');
|
||||
if (['javascript:', 'file:', 'data:', 'mailto:', 'tel:', 'vbscript:'].includes(url.protocol)) throw new Error('invalid url');
|
||||
location.href = `${session.value.app.callbackUrl}?token=${session.value.token}`;
|
||||
}
|
||||
}
|
||||
|
@ -65,7 +65,7 @@ async function onAccept(token: string) {
|
||||
|
||||
if (props.callback && props.callback !== '') {
|
||||
const cbUrl = new URL(props.callback);
|
||||
if (['javascript:', 'file:', 'data:', 'mailto:', 'tel:'].includes(cbUrl.protocol)) throw new Error('invalid url');
|
||||
if (['javascript:', 'file:', 'data:', 'mailto:', 'tel:', 'vbscript:'].includes(cbUrl.protocol)) throw new Error('invalid url');
|
||||
cbUrl.searchParams.set('session', props.session);
|
||||
location.href = cbUrl.toString();
|
||||
} else {
|
||||
|
Loading…
Reference in New Issue
Block a user