From acca0b956e2ef59e83e0e5a7f29848faf750b859 Mon Sep 17 00:00:00 2001
From: Aziz Khoury <bentael@gmail.com>
Date: Tue, 17 Dec 2019 23:08:09 +0200
Subject: [PATCH] more secure isRelativeUrl (#8087)

---
 public/src/utils.js | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/public/src/utils.js b/public/src/utils.js
index b647356308..b71c9dda48 100644
--- a/public/src/utils.js
+++ b/public/src/utils.js
@@ -487,9 +487,18 @@
 			});
 		},
 
+		// https://github.com/sindresorhus/is-absolute-url
+		isAbsoluteUrlRE: /^[a-zA-Z][a-zA-Z\d+\-.]*:/,
+		isWinPathRE: /^[a-zA-Z]:\\/,
+		isAbsoluteUrl: function (url) {
+			if (utils.isWinPathRE.test(url)) {
+				return false;
+			}
+			return utils.isAbsoluteUrlRE.test(url);
+		},
+
 		isRelativeUrl: function (url) {
-			var firstChar = String(url || '').charAt(0);
-			return (firstChar === '.' || firstChar === '/');
+			return !utils.isAbsoluteUrl(url);
 		},
 
 		makeNumbersHumanReadable: function (elements) {