mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2026-07-01 11:45:26 +02:00
A malicious user could modify a valid looking link (for example of the editor UI) to point to a malicous site, by using overlays and CSS. Since CSS should stay enabled, we need to make the user aware of possible risks when leaving the HedgeDoc instance, in order to protect them from credential-theft. This commit adds a new interstitial page for external links, that shows the target URL and asks the user, whether they really want to continue. Signed-off-by: Erik Michelson <github@erik.michelson.eu>
28 lines
743 B
JavaScript
28 lines
743 B
JavaScript
module.exports = {
|
|
serveLinkWarningPage: function (req, res) {
|
|
let targetURL = typeof req.query.url === 'string' ? req.query.url : ''
|
|
let noteURL = typeof req.query.note === 'string' ? req.query.note : ''
|
|
if (noteURL !== '' && !/^[\w-]+$/.test(noteURL)) {
|
|
noteURL = ''
|
|
}
|
|
let valid = false
|
|
try {
|
|
targetURL = decodeURIComponent(targetURL)
|
|
const parsed = new URL(targetURL)
|
|
valid = ['http:', 'https:'].includes(parsed.protocol)
|
|
targetURL = parsed.href
|
|
} catch (err) {
|
|
valid = false
|
|
}
|
|
res.set({
|
|
'Cache-Control': 'no-store'
|
|
})
|
|
res.render('link.ejs', {
|
|
title: 'External link',
|
|
valid,
|
|
noteURL,
|
|
targetURL,
|
|
opengraph: []
|
|
})
|
|
}
|
|
}
|