Git-Mirrors/RetroShare
1
0
Fork 0
mirror of https://github.com/RetroShare/RetroShare.git synced 2025-05-06 08:05:18 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

webui: allow only whitelisted link protocols to prevent javascript in links

Browse source
This commit is contained in:
electron128 2015-07-30 20:05:54 +02:00 committed by cave beat
parent ff9bf71aa8
commit d94124a18b
3 changed files with 54 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

14
libresapi/src/api/ChatHandler.cpp
View file

@ -333,8 +333,18 @@ void ChatHandler::tick()
&& last_six_chars.size() >= a.size()
&& last_six_chars.substr(last_six_chars.size()-a.size()) == a)
{
current_link.third = out.size();
links.push_back(current_link);
// only allow these protocols
// we don't want for example javascript:alert(0)
std::string http = "http://";
std::string https = "https://";
std::string retroshare = "retroshare://";
if( out.substr(current_link.first, http.size()) == http
|| out.substr(current_link.first, https.size()) == https
|| out.substr(current_link.first, retroshare.size()) == retroshare)
{
current_link.third = out.size();
links.push_back(current_link);
}
current_link = Triple();
}
}