From 0bb4e57b0c646a20aa46e6cac545b37682629e89 Mon Sep 17 00:00:00 2001
From: Julia Johannesen <julia@insertdomain.name>
Date: Sun, 27 Apr 2025 13:05:09 -0400
Subject: Security fixes

Co-Authored-By: dakkar <dakkar@thenautilus.net>
---
 packages/frontend-shared/js/math.ts | 10 ++++++++++
 packages/frontend-shared/js/url.ts  | 17 +++++++++++++++++
 2 files changed, 27 insertions(+)
 create mode 100644 packages/frontend-shared/js/math.ts

(limited to 'packages/frontend-shared')

diff --git a/packages/frontend-shared/js/math.ts b/packages/frontend-shared/js/math.ts
new file mode 100644
index 0000000000..528f3b08bf
--- /dev/null
+++ b/packages/frontend-shared/js/math.ts
@@ -0,0 +1,10 @@
+/*
+ * SPDX-FileCopyrightText: dakkar and other Sharkey contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+export function clamp(value: number, min: number, max: number) {
+	if (value > max) return max;
+	if (value < min) return min;
+	return value;
+}
diff --git a/packages/frontend-shared/js/url.ts b/packages/frontend-shared/js/url.ts
index eb830b1eea..e4f9ca513d 100644
--- a/packages/frontend-shared/js/url.ts
+++ b/packages/frontend-shared/js/url.ts
@@ -26,3 +26,20 @@ export function extractDomain(url: string) {
 	const match = url.match(/^(?:https?:)?(?:\/\/)?(?:[^@\n]+@)?([^:\/\n]+)/im);
 	return match ? match[1] : null;
 }
+
+export function maybeMakeRelative(urlStr: string, baseStr: string): string {
+	try {
+		const baseObj = new URL(baseStr);
+		const urlObj = new URL(urlStr);
+		/* in all places where maybeMakeRelative is used, baseStr is the
+		 * instance's public URL, which can't have path components, so the
+		 * relative URL will always have the whole path from the urlStr
+		*/
+		if (urlObj.origin === baseObj.origin) {
+			return urlObj.pathname + urlObj.search + urlObj.hash;
+		}
+		return urlStr;
+	} catch (e) {
+		return '';
+	}
+}
-- 
cgit v1.2.3-freya