Explicitly deny bad URLs.

Fixes #252. Handle embed untrusted links better.
2026-03-07 17:35:28 +00:00 · 2021-09-25 10:54:32 +01:00
parent 66289911ba
commit 81379d6ec4
5 changed files with 26 additions and 22 deletions
--- a/src/components/common/messaging/embed/Embed.tsx
+++ b/src/components/common/messaging/embed/Embed.tsx
@@ -111,14 +111,11 @@ export default function Embed({ embed }: Props) {
                        {embed.title && (
                            <span>
                                <a
-                                    onClick={(e) =>
-                                        openLink(e.currentTarget.href) &&
-                                        e.preventDefault()
+                                    onMouseDown={(ev) =>
+                                        (ev.button === 0 || ev.button === 1) &&
+                                        openLink(embed.url)
                                    }
-                                    href={embed.url}
-                                    target={"_blank"}
-                                    className={styles.title}
-                                    rel="noreferrer">
+                                    className={styles.title}>
                                    {embed.title}
                                </a>
                            </span>
@@ -159,9 +156,7 @@ export default function Embed({ embed }: Props) {
                    frameBorder="0"
                    loading="lazy"
                    onClick={() => openScreen({ id: "image_viewer", embed })}
-                    onMouseDown={(ev) =>
-                        ev.button === 1 && window.open(embed.url, "_blank")
-                    }
+                    onMouseDown={(ev) => ev.button === 1 && openLink(embed.url)}
                />
            );
        }