Prevent Disguised Links #1428
Prevent Disguised Links #1428
Conversation
|
I think the goal here is to prevent impersonation of any link - not just SN links. It's pretty non-trivial though because we'd need a list tlds. Or maybe simply checking for @ekzyis made the issue maybe he has a better idea for what this should do. |
|
No probs. I'll wait for refinement on the requirements and then make the change. |
|
Yes, I intended to solve generally misleading links. I think we can use the regexp @huumn mentioned and URL parsing to check if it looks misleading like this: diff --git a/components/media-or-link.js b/components/media-or-link.js
index 76ac52d7..5639d3f6 100644
--- a/components/media-or-link.js
+++ b/components/media-or-link.js
@@ -11,6 +11,7 @@ import YouTube from 'react-youtube'
import useDarkMode from './dark-mode'
function LinkRaw ({ href, children, src, rel }) {
+ // prevent misleading users via URLs from origin X disguised as from origin Y
const isRawURL = /^https?:\/\//.test(children?.[0])
return (
// eslint-disable-next-line
diff --git a/components/text.js b/components/text.js
index ac5c2851..8c5c7758 100644
--- a/components/text.js
+++ b/components/text.js
@@ -176,9 +176,21 @@ export default memo(function Text ({ rel, imgproxyUrls, children, tab, itemId, o
return href
}
- // If [text](url) was parsed as <a> and text is not empty and not a link itself,
- // we don't render it as an image since it was probably a conscious choice to include text.
- const text = children[0]
+ let text = children[0]
+ // we use the actual URL as the text if text in [text](url) is a misleading
+ if (/^\s*(\w+\.)+\w+/.test(text)) {
+ let misleading = false
+ try {
+ if (new URL(text).origin !== new URL(href).origin) misleading = true
+ } catch {}
+
+ try {
+ if (new URL('https://' + text).origin !== new URL(href).origin) misleading = true
+ } catch {}
+
+ if (misleading) text = href
+ }
+
let url
try {
url = !href.startsWith('/') && new URL(href)
@@ -254,7 +266,7 @@ export default memo(function Text ({ rel, imgproxyUrls, children, tab, itemId, o
}
// assume the link is an image which will fallback to link if it's not
- return <TextMediaOrLink src={href} rel={rel ?? UNKNOWN_LINK_REL} {...props}>{children}</TextMediaOrLink>
+ return <TextMediaOrLink src={href} rel={rel ?? UNKNOWN_LINK_REL} {...props}>{text}</TextMediaOrLink>
},
img: TextMediaOrLink
}), [outlawed, rel, itemId, Code, P, Heading, Table, TextMediaOrLink])
This seemed to work during my shallow testing. Maybe you can test this @tsmith123 more and if you don't find anything or don't have a better solution, push it to this PR. |
|
Hey @ekzyis Therefore, I've modified the logic slightly and I've also moved it into its own function called Note: when using the example from the issue description (with the npub link) it renders an embed rather than just the text like in the actual post. I don't know SN well enough to know if this is a recession so if you could check this that would be cool. |
|
I ended up fixing this in #1430 as I was refactoring the nasty |
|
Cheers @huumn appreciate that 👍 |
|
Did your refactor get merged? |
|
Yep, it's merged. I haven't the last few days of awards though. I'll try to do it by end of day. |
Description
Fixes #1397
When adding links with a "text part" and an "href part" to the editor, if the text part contains a string that resembles a link then ensure that it's the same as the href part. If it isn't, then render the href part only.