From a48c7d2364d46bcbb049624b5dd4c056eb90a496 Mon Sep 17 00:00:00 2001 From: David Baker Date: Wed, 12 Jul 2017 14:16:47 +0100 Subject: [PATCH] Only allow http and https widget URLs --- src/components/views/elements/AppTile.js | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/components/views/elements/AppTile.js b/src/components/views/elements/AppTile.js index 66d6b1ff3a..3c3f01c1cd 100644 --- a/src/components/views/elements/AppTile.js +++ b/src/components/views/elements/AppTile.js @@ -16,13 +16,14 @@ limitations under the License. 'use strict'; +import url from 'url'; import React from 'react'; import MatrixClientPeg from '../../../MatrixClientPeg'; import ScalarAuthClient from '../../../ScalarAuthClient'; import SdkConfig from '../../../SdkConfig'; import { _t } from '../../../languageHandler'; -import url from 'url'; +const ALLOWED_APP_URL_SCHEMES = ['https:', 'http:']; export default React.createClass({ displayName: 'AppTile', @@ -126,9 +127,14 @@ export default React.createClass({ // a link to it. const sandboxFlags = "allow-forms allow-popups allow-popups-to-escape-sandbox "+ "allow-same-origin allow-scripts"; + const parsedWidgetUrl = url.parse(this.state.widgetUrl); + let safeWidgetUrl = ''; + if (ALLOWED_APP_URL_SCHEMES.indexOf(parsedWidgetUrl.protocol) !== -1) { + safeWidgetUrl = url.format(parsedWidgetUrl); + } appTileBody = (
-