web/cryptpad
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Forbid JavaScript in links to the bounce app

Browse Source
This commit is contained in:
yflory 2018-11-13 14:18:09 +01:00
parent fc915e3337
commit 04decacaca
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
www/bounce/main.js
View File

@ -9,6 +9,12 @@ define(['/api/config'], function (ApiConfig) {
window.alert('The bounce application must only be used with a valid href to visit'); window.alert('The bounce application must only be used with a valid href to visit');
return; return;
} }
if (bounceTo.indexOf('javascript:') === 0 ||
bounceTo.indexOf('vbscript:') === 0 ||
bounceTo.indexOf('data:') === 0) {
window.alert('Illegal bounce URL');
return;
}
window.opener = null; window.opener = null;
window.location.href = bounceTo; window.location.href = bounceTo;
}); });