fix(client): validate url to improve security
This commit is contained in:
parent
6641b13b4c
commit
70fe23a3ce
|
@ -77,6 +77,8 @@ export default defineComponent({
|
||||||
accepted() {
|
accepted() {
|
||||||
this.state = 'accepted';
|
this.state = 'accepted';
|
||||||
if (this.session.app.callbackUrl) {
|
if (this.session.app.callbackUrl) {
|
||||||
|
const url = new URL(this.session.app.callbackUrl);
|
||||||
|
if (['javascript:', 'file:', 'data:', 'mailto:', 'tel:'].includes(url.protocol)) throw new Error('invalid url');
|
||||||
location.href = `${this.session.app.callbackUrl}?token=${this.session.token}`;
|
location.href = `${this.session.app.callbackUrl}?token=${this.session.token}`;
|
||||||
}
|
}
|
||||||
}, onLogin(res) {
|
}, onLogin(res) {
|
||||||
|
|
|
@ -70,7 +70,7 @@ async function accept(): Promise<void> {
|
||||||
state = 'accepted';
|
state = 'accepted';
|
||||||
if (props.callback) {
|
if (props.callback) {
|
||||||
const cbUrl = new URL(props.callback);
|
const cbUrl = new URL(props.callback);
|
||||||
if (!['http:', 'https:'].includes(cbUrl.protocol)) throw new Error('invalid url');
|
if (['javascript:', 'file:', 'data:', 'mailto:', 'tel:'].includes(cbUrl.protocol)) throw new Error('invalid url');
|
||||||
cbUrl.searchParams.set('session', props.session);
|
cbUrl.searchParams.set('session', props.session);
|
||||||
location.href = cbUrl.href;
|
location.href = cbUrl.href;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue