fix(client): validate urls to improve security

packages/client/src/components/MkUrlPreview.vue

@@ -67,6 +67,7 @@ const embedId = `embed${Math.random().toString().replace(/\D/,'')}`;
 let tweetHeight = $ref(150);
 
 const requestUrl = new URL(props.url);
+if (!['http:', 'https:'].includes(requestUrl.protocol)) throw new Error('invalid url');
 
 if (requestUrl.hostname === 'twitter.com' || requestUrl.hostname === 'mobile.twitter.com') {
 	const m = requestUrl.pathname.match(/^\/.+\/status(?:es)?\/(\d+)/);

packages/client/src/components/global/MkUrl.vue

@@ -33,6 +33,7 @@ const props = defineProps<{
 
 const self = props.url.startsWith(local);
 const url = new URL(props.url);
+if (!['http:', 'https:'].includes(url.protocol)) throw new Error('invalid url');
 const el = ref();
 
 useTooltip(el, (showing) => {

packages/client/src/pages/miauth.vue

@@ -70,6 +70,8 @@ async function accept(): Promise<void> {
 
 	state = 'accepted';
 	if (props.callback) {
+		const cbUrl = new URL(props.callback);
+		if (!['http:', 'https:'].includes(cbUrl.protocol)) throw new Error('invalid url');
 		location.href = appendQuery(props.callback, query({
 			session: props.session,
 		}));