summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--packages/frontend/src/pages/auth.vue2
-rw-r--r--packages/frontend/src/pages/miauth.vue2
2 files changed, 3 insertions, 1 deletions
diff --git a/packages/frontend/src/pages/auth.vue b/packages/frontend/src/pages/auth.vue
index bb55881a22..b7727ca30d 100644
--- a/packages/frontend/src/pages/auth.vue
+++ b/packages/frontend/src/pages/auth.vue
@@ -77,6 +77,8 @@ export default defineComponent({
accepted() {
this.state = 'accepted';
if (this.session.app.callbackUrl) {
+ const url = new URL(this.session.app.callbackUrl);
+ if (['javascript:', 'file:', 'data:', 'mailto:', 'tel:'].includes(url.protocol)) throw new Error('invalid url');
location.href = `${this.session.app.callbackUrl}?token=${this.session.token}`;
}
}, onLogin(res) {
diff --git a/packages/frontend/src/pages/miauth.vue b/packages/frontend/src/pages/miauth.vue
index 3debaeeb61..9a4019e5b1 100644
--- a/packages/frontend/src/pages/miauth.vue
+++ b/packages/frontend/src/pages/miauth.vue
@@ -70,7 +70,7 @@ async function accept(): Promise<void> {
state = 'accepted';
if (props.callback) {
const cbUrl = new URL(props.callback);
- if (!['http:', 'https:'].includes(cbUrl.protocol)) throw new Error('invalid url');
+ if (['javascript:', 'file:', 'data:', 'mailto:', 'tel:'].includes(cbUrl.protocol)) throw new Error('invalid url');
cbUrl.searchParams.set('session', props.session);
location.href = cbUrl.href;
}
generated by cgit v1.2.3-freya (git 2.53.0.84.g453e7b744a) at 2026-04-27 11:40:53 +0000