Security fixes

Co-Authored-By: dakkar <dakkar@thenautilus.net>
author: Julia Johannesen <julia@insertdomain.name> 2025-04-27 13:05:09 -0400
committer: Julia Johannesen <julia@insertdomain.name> 2025-04-27 13:05:09 -0400
commit: 0bb4e57b0c646a20aa46e6cac545b37682629e89 (patch)
tree: cae0d041c41353c1c8a9e8616abc3f609de87194 /packages/frontend/src/components/global
parent: merge: 2025.2.2 (!927) (diff)
download: sharkey-0bb4e57b0c646a20aa46e6cac545b37682629e89.tar.gz
sharkey-0bb4e57b0c646a20aa46e6cac545b37682629e89.tar.bz2
sharkey-0bb4e57b0c646a20aa46e6cac545b37682629e89.zip
2 files changed, 8 insertions, 5 deletions
diff --git a/packages/frontend/src/components/global/MkMfm.ts b/packages/frontend/src/components/global/MkMfm.ts
index 9785bc0f07..b292f86445 100644
--- a/packages/frontend/src/components/global/MkMfm.ts
+++ b/packages/frontend/src/components/global/MkMfm.ts
@@ -20,6 +20,7 @@ import MkGoogle from '@/components/MkGoogle.vue';
 import MkSparkle from '@/components/MkSparkle.vue';
 import MkA, { MkABehavior } from '@/components/global/MkA.vue';
 import { defaultStore } from '@/store.js';
+import { clamp } from '@@/js/math.js';
 
 function safeParseFloat(str: unknown): number | null {
 	if (typeof str !== 'string' || str === '') return null;
@@ -309,10 +310,10 @@ export default function (props: MfmProps, { emit }: { emit: SetupContext<MfmEven
 							style = '';
 							break;
 						}
-						const x = Math.min(safeParseFloat(token.props.args.x) ?? 1, 5);
-						const y = Math.min(safeParseFloat(token.props.args.y) ?? 1, 5);
+						const x = clamp(safeParseFloat(token.props.args.x) ?? 1, -5, 5);
+						const y = clamp(safeParseFloat(token.props.args.y) ?? 1, -5, 5);
 						style = `transform: scale(${x}, ${y});`;
-						scale = scale * Math.max(x, y);
+						scale = scale * Math.max(Math.abs(x), Math.abs(y));
 						break;
 					}
 					case 'fg': {
diff --git a/packages/frontend/src/components/global/MkUrl.vue b/packages/frontend/src/components/global/MkUrl.vue
index 5196a63635..f4ed7ae427 100644
--- a/packages/frontend/src/components/global/MkUrl.vue
+++ b/packages/frontend/src/components/global/MkUrl.vue
@@ -5,7 +5,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 
 <template>
 <component
-	:is="self ? 'MkA' : 'a'" ref="el" :class="$style.root" class="_link" :[attr]="self ? props.url.substring(local.length) : props.url" :rel="rel ?? 'nofollow noopener'" :target="target"
+	:is="self ? 'MkA' : 'a'" ref="el" :class="$style.root" class="_link" :[attr]="maybeRelativeUrl" :rel="rel ?? 'nofollow noopener'" :target="target"
 	:behavior="props.navigationBehavior"
 	@contextmenu.stop="() => {}"
 	@click.prevent="self ? true : warningExternalWebsite(props.url)"
@@ -35,6 +35,7 @@ import { useTooltip } from '@/scripts/use-tooltip.js';
 import { isEnabledUrlPreview } from '@/instance.js';
 import { MkABehavior } from '@/components/global/MkA.vue';
 import { warningExternalWebsite } from '@/scripts/warning-external-website.js';
+import { maybeMakeRelative } from '@@/js/url.js';
 
 function safeURIDecode(str: string): string {
 	try {
@@ -53,7 +54,8 @@ const props = withDefaults(defineProps<{
 	showUrlPreview: true,
 });
 
-const self = props.url.startsWith(local);
+const maybeRelativeUrl = maybeMakeRelative(props.url, local);
+const self = maybeRelativeUrl !== props.url;
 const url = new URL(props.url);
 if (!['http:', 'https:'].includes(url.protocol)) throw new Error('invalid url');
 const el = ref();
author	Julia Johannesen <julia@insertdomain.name>	2025-04-27 13:05:09 -0400
committer	Julia Johannesen <julia@insertdomain.name>	2025-04-27 13:05:09 -0400
commit	0bb4e57b0c646a20aa46e6cac545b37682629e89 (patch)
tree	cae0d041c41353c1c8a9e8616abc3f609de87194 /packages/frontend/src/components/global
parent	merge: 2025.2.2 (!927) (diff)
download	sharkey-0bb4e57b0c646a20aa46e6cac545b37682629e89.tar.gz sharkey-0bb4e57b0c646a20aa46e6cac545b37682629e89.tar.bz2 sharkey-0bb4e57b0c646a20aa46e6cac545b37682629e89.zip