25
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2026-07-01 11:45:26 +02:00
HedgeDoc/lib/links.js
Erik Michelson 814271dc0b feat(editor): add external link warning page
A malicious user could modify a valid looking link (for example of the editor UI)
to point to a malicous site, by using overlays and CSS. Since CSS should stay
enabled, we need to make the user aware of possible risks when leaving the
HedgeDoc instance, in order to protect them from credential-theft.

This commit adds a new interstitial page for external links, that shows the
target URL and asks the user, whether they really want to continue.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2026-06-10 20:15:09 +02:00

28 lines
743 B
JavaScript

module.exports = {
serveLinkWarningPage: function (req, res) {
let targetURL = typeof req.query.url === 'string' ? req.query.url : ''
let noteURL = typeof req.query.note === 'string' ? req.query.note : ''
if (noteURL !== '' && !/^[\w-]+$/.test(noteURL)) {
noteURL = ''
}
let valid = false
try {
targetURL = decodeURIComponent(targetURL)
const parsed = new URL(targetURL)
valid = ['http:', 'https:'].includes(parsed.protocol)
targetURL = parsed.href
} catch (err) {
valid = false
}
res.set({
'Cache-Control': 'no-store'
})
res.render('link.ejs', {
title: 'External link',
valid,
noteURL,
targetURL,
opengraph: []
})
}
}