From f2eb4b808386d61c53b7bdb5cad8925b5fe9414b Mon Sep 17 00:00:00 2001
From: psychobunny <rodrigues.andrew@gmail.com>
Date: Fri, 10 Mar 2017 14:03:07 -0500
Subject: [PATCH] closes #5439

---
 public/language/en-GB/admin/settings/general.json | 3 ++-
 public/src/ajaxify.js                             | 9 +++++++--
 src/controllers/api.js                            | 4 ++++
 src/views/admin/settings/general.tpl              | 5 +++++
 4 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/public/language/en-GB/admin/settings/general.json b/public/language/en-GB/admin/settings/general.json
index c26740ee4f..8db88bb958 100644
--- a/public/language/en-GB/admin/settings/general.json
+++ b/public/language/en-GB/admin/settings/general.json
@@ -26,5 +26,6 @@
 	"touch-icon.upload": "Upload",
 	"touch-icon.help": "Recommended size and format: 192x192, PNG format only. If no touch icon is specified, NodeBB will fall back to using the favicon.",
 	"outgoing-links": "Outgoing Links",
-	"outgoing-links.warning-page": "Use Outgoing Links Warning Page"
+	"outgoing-links.warning-page": "Use Outgoing Links Warning Page",
+	"outgoing-links.whitelist": "Domains to whitelist for bypassing the warning page"
 }
\ No newline at end of file
diff --git a/public/src/ajaxify.js b/public/src/ajaxify.js
index 913dbb6fd6..539de6c47b 100644
--- a/public/src/ajaxify.js
+++ b/public/src/ajaxify.js
@@ -366,8 +366,13 @@ $(document).ready(function () {
 							window.open(this.href, '_blank');
 							e.preventDefault();
 						} else if (config.useOutgoingLinksPage) {
-							ajaxify.go('outgoing?url=' + encodeURIComponent(this.href));
-							e.preventDefault();
+							var safeUrls = config.outgoingLinksWhitelist.trim().split(/[\s,]+/g);
+							var href = this.href;
+
+							if (!safeUrls.some(function(url) { return href.indexOf(url) !== -1; } )) {
+								ajaxify.go('outgoing?url=' + encodeURIComponent(href));
+								e.preventDefault();
+							}
 						}
 					}
 				}
diff --git a/src/controllers/api.js b/src/controllers/api.js
index 5ddbd0731b..f7158481e7 100644
--- a/src/controllers/api.js
+++ b/src/controllers/api.js
@@ -64,6 +64,10 @@ apiController.getConfig = function (req, res, next) {
 	config.bootswatchSkin = meta.config.bootswatchSkin || 'noskin';
 	config.defaultBootswatchSkin = meta.config.bootswatchSkin || 'noskin';
 
+	if (config.useOutgoingLinksPage) {
+		config.outgoingLinksWhitelist = meta.config['outgoingLinks:whitelist'];
+	}
+
 	var timeagoCutoff = meta.config.timeagoCutoff === undefined ? 30 : meta.config.timeagoCutoff;
 	config.timeagoCutoff = timeagoCutoff !== '' ? Math.max(0, parseInt(timeagoCutoff, 10)) : timeagoCutoff;
 
diff --git a/src/views/admin/settings/general.tpl b/src/views/admin/settings/general.tpl
index 990509e41f..c78691037e 100644
--- a/src/views/admin/settings/general.tpl
+++ b/src/views/admin/settings/general.tpl
@@ -123,6 +123,11 @@
 					<span class="mdl-switch__label"><strong>[[admin/settings/general:outgoing-links.warning-page]]</strong></span>
 				</label>
 			</div>
+
+			<div class="form-group">
+				<label for="outgoingLinks:whitelist">[[admin/settings/general:outgoing-links.whitelist]]</label>
+				<input id="outgoingLinks:whitelist" type="text" class="form-control" placeholder="subdomain.domain.com, anotherdomain.com" data-field="outgoingLinks:whitelist" />
+			</div>
 		</form>
 	</div>
 </div>