zefie/minisrv
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

more signature sanity checking

Browse Source 
- allows A links to wtvchat and irc, but not any form of embedding (img bgsound etc)
This commit is contained in:
zefie
2022-12-01 06:52:08 -05:00
parent bf4d8d2f7d
commit 64517a8723
1 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
zefie_wtvp_minisrv/includes/classes/WTVShared.js
View File

@@ -240,8 +240,16 @@ class WTVShared {
var allowed = true;
Object.keys(frame.attribs).forEach((k) => {
if (k == "href" || k == "background" || k == "src") {
allowed = false;
var value = frame.attribs[k];
allowed = false;
var value = frame.attribs[k];
if (frame.tag !== "a") {
// check everything except normal links
if (value.startsWith("wtvchat") || value.startsWith("irc")) {
// don't allow irc embeds
return false;
}
}
Object.keys(allowedProtocols).forEach((j) => {
if (value.startsWith(allowedProtocols[j])) {
allowed = true;