hyperzlib
/
nodebb
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

utilising whitelist instead of blacklisting javascript protocol

Browse Source
v1.18.x
Julian Lam 7 years ago
parent 5863d64d27
commit 72502ff992
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File

4
src/controllers/index.js
Unescape Escape View File

@ -390,8 +390,10 @@ Controllers.manifest = function (req, res) {
Controllers.outgoing = function (req, res, next) { Controllers.outgoing = function (req, res, next) {
var url = req.query.url || ''; var url = req.query.url || '';
var allowedProtocols = ['http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn', 'tel', 'fax', 'xmpp', 'webcal'];
var parsed = require('url').parse(url);
if (!url || url.startsWith('javascript:')) { if (!url || !allowedProtocols.includes(parsed.protocol.slice(0, -1))) {
return next(); return next();
} }

Write Preview
Loading…
Cancel
Save