Check callback url

sakura-tel · Feb 10, 2023 · 1f6ae07 · 1f6ae07
1 parent 88d237a
commit 1f6ae07
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/src/client/app/auth/views/index.vue b/src/client/app/auth/views/index.vue
@@ -82,6 +82,8 @@ export default Vue.extend({
 		accepted() {
 			this.state = 'accepted';
 			if (this.session.app.callbackUrl) {
+				const url = new URL(this.session.app.callbackUrl);
+				if (['javascript:', 'file:', 'data:', 'mailto:', 'tel:'].includes(url.protocol)) throw new Error('invalid url');
 				location.href = `${this.session.app.callbackUrl}?token=${this.session.token}`;
 			}
 		}