From 31bd0d909d5f33d33e85bbf45b75b4753a959dfa Mon Sep 17 00:00:00 2001 From: Alexander Zinchuk Date: Wed, 5 Jul 2023 13:16:13 +0200 Subject: [PATCH] Link: Validate protocol by whitelist (#3505) --- src/util/ensureProtocol.ts | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/util/ensureProtocol.ts b/src/util/ensureProtocol.ts index f32c5bbf8..40f07af36 100644 --- a/src/util/ensureProtocol.ts +++ b/src/util/ensureProtocol.ts @@ -1,19 +1,22 @@ +const PROTOCOL_WHITELIST = new Set(['http:', 'https:', 'tg:', 'ton:', 'mailto:', 'tel:']); +// HTTP was chosen by default as a fix for https://bugs.telegram.org/c/10712. +// It is also the default protocol in the official TDesktop client. +const FALLBACK_PREFIX = 'http://'; + export function ensureProtocol(url?: string) { if (!url) { return undefined; } - // HTTP was chosen by default as a fix for https://bugs.telegram.org/c/10712. - // It is also the default protocol in the official TDesktop client. try { const parsedUrl = new URL(url); // eslint-disable-next-line no-script-url - if (parsedUrl.protocol === 'javascript:') { - return `http://${url}`; + if (!PROTOCOL_WHITELIST.has(parsedUrl.protocol)) { + return `${FALLBACK_PREFIX}${url}`; } return url; } catch (err) { - return `http://${url}`; + return `${FALLBACK_PREFIX}${url}`; } }