yuuza/outline
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Improved sanitization of href's in editor

Browse Source
This commit is contained in:
Tom Moor
2022-07-05 10:14:16 +02:00
parent 2f3dcb2520
commit 4e189b8970
9 changed files with 94 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
shared/utils/urls.ts
View File

@@ -1,14 +1,26 @@
import env from "../env";
import { parseDomain } from "./domains";
/**
* Prepends the CDN url to the given path (If a CDN is configured).
*
* @param path The path to prepend the CDN url to.
* @returns The path with the CDN url prepended.
*/
export function cdnPath(path: string): string {
return `${env.CDN_URL}${path}`;
}
// TODO: HACK: if this is called server-side, it will always return false.
// - The only call sites to this function and isExternalUrl are on the client
// - The reason this is in a shared util is because it's used in an editor plugin
// which is also in the shared code
/**
* Returns true if the given string is a link to inside the application.
*
* Important Note: If this is called server-side, it will always return false.
* The reason this is in a shared util is because it's used in an editor plugin
* which is also in the shared code
*
* @param url The url to check.
* @returns True if the url is internal, false otherwise.
*/
export function isInternalUrl(href: string) {
// empty strings are never internal
if (href === "") {
@@ -29,6 +41,50 @@ export function isInternalUrl(href: string) {
return outline?.host === domain.host;
}
export function isExternalUrl(href: string) {
return !isInternalUrl(href);
/**
* Returns true if the given string is a url.
*
* @param url The url to check.
* @returns True if a url, false otherwise.
*/
export function isUrl(text: string) {
if (text.match(/\n/)) {
return false;
}
try {
const url = new URL(text);
return url.hostname !== "";
} catch (err) {
return false;
}
}
/**
* Returns true if the given string is a link to outside the application.
*
* @param url The url to check.
* @returns True if the url is external, false otherwise.
*/
export function isExternalUrl(url: string) {
return !isInternalUrl(url);
}
/**
* For use in the editor, this function will ensure that a link href is
* potentially valid, and filter out unsupported and malicious protocols.
*
* @param href The href to sanitize
* @returns The sanitized href
*/
export function sanitizeHref(href: string) {
if (
!isUrl(href) &&
!href.startsWith("/") &&
!href.startsWith("#") &&
!href.startsWith("mailto:")
) {
return `https://${href}`;
}
return href;
}