summaryrefslogtreecommitdiff
path: root/packages/backend/src/server/web/UrlPreviewService.ts
diff options
context:
space:
mode:
Diffstat (limited to 'packages/backend/src/server/web/UrlPreviewService.ts')
-rw-r--r--packages/backend/src/server/web/UrlPreviewService.ts7
1 files changed, 7 insertions, 0 deletions
diff --git a/packages/backend/src/server/web/UrlPreviewService.ts b/packages/backend/src/server/web/UrlPreviewService.ts
index 160cf37c00..da2660ab0f 100644
--- a/packages/backend/src/server/web/UrlPreviewService.ts
+++ b/packages/backend/src/server/web/UrlPreviewService.ts
@@ -139,6 +139,13 @@ export class UrlPreviewService {
return;
}
+ // Enforce HTTP(S) for input URLs
+ const urlScheme = this.utilityService.getUrlScheme(url);
+ if (urlScheme !== 'http:' && urlScheme !== 'https:') {
+ reply.code(400);
+ return;
+ }
+
const lang = request.query.lang;
if (Array.isArray(lang)) {
reply.code(400);
generated by cgit v1.2.3-freya (git 2.53.0.84.g453e7b744a) at 2026-03-03 13:32:52 +0000