From 1f6ae07f57787ac2d24097847cc5cbaf263841f5 Mon Sep 17 00:00:00 2001
From: mei23 <m@m544.net>
Date: Thu, 9 Feb 2023 22:31:56 +0900
Subject: [PATCH] Check callback url

---
 src/client/app/auth/views/index.vue | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/client/app/auth/views/index.vue b/src/client/app/auth/views/index.vue
index 53bcba3021..3520673c36 100644
--- a/src/client/app/auth/views/index.vue
+++ b/src/client/app/auth/views/index.vue
@@ -82,6 +82,8 @@ export default Vue.extend({
 		accepted() {
 			this.state = 'accepted';
 			if (this.session.app.callbackUrl) {
+				const url = new URL(this.session.app.callbackUrl);
+				if (['javascript:', 'file:', 'data:', 'mailto:', 'tel:'].includes(url.protocol)) throw new Error('invalid url');
 				location.href = `${this.session.app.callbackUrl}?token=${this.session.token}`;
 			}
 		}