HMC/handmade-revolt
2
0
Fork 0
forked from abner/for-legacy-web
Code Pull Requests Actions Activity

Explicitly deny bad URLs.

Browse Source 
Fixes #252.
Handle embed untrusted links better.
This commit is contained in:
Paul
2021-09-25 10:54:32 +01:00
parent 66289911ba
commit 81379d6ec4
5 changed files with 26 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/components/common/messaging/embed/Embed.module.scss
View File

@@ -1,5 +1,5 @@
.embed {
margin: .2em 0;
margin: 0.2em 0;
iframe {
border: none;
@@ -87,26 +87,30 @@
.footer {
font-size: 12px;
}
img.image {
cursor: pointer;
object-fit: contain;
border-radius: var(--border-radius);
}
a {
cursor: pointer;
}
}
}
// TODO: unified actions css (see attachment.module.scss for other actions css)
.actions {
display: grid;
grid-template:
grid-template:
"name open" auto
"size open" auto
/ minmax(20px, 1fr) min-content;
align-items: center;
column-gap: 12px;
width: 100%;
padding: 8px;
overflow: none;
@@ -119,7 +123,7 @@
white-space: nowrap;
overflow: hidden;
}
.filesize {
grid-area: size;

15
src/components/common/messaging/embed/Embed.tsx
View File

@@ -111,14 +111,11 @@ export default function Embed({ embed }: Props) {
{embed.title && (
<span>
<a
onClick={(e) =>
openLink(e.currentTarget.href) &&
e.preventDefault()
onMouseDown={(ev) =>
(ev.button === 0 || ev.button === 1) &&
openLink(embed.url)
}
href={embed.url}
target={"_blank"}
className={styles.title}
rel="noreferrer">
className={styles.title}>
{embed.title}
</a>
</span>
@@ -159,9 +156,7 @@ export default function Embed({ embed }: Props) {
frameBorder="0"
loading="lazy"
onClick={() => openScreen({ id: "image_viewer", embed })}
onMouseDown={(ev) =>
ev.button === 1 && window.open(embed.url, "_blank")
}
onMouseDown={(ev) => ev.button === 1 && openLink(embed.url)}
/>
);
}