diff --git a/www/assert/main.js b/www/assert/main.js index c29b3bfa3..a467bfc67 100644 --- a/www/assert/main.js +++ b/www/assert/main.js @@ -334,6 +334,12 @@ define([ !secret.hashData.present); }, "test support for ugly tracking query paramaters in url"); + assert(function (cb) { + var url = '//cryptpad.fr/pad/#/2/pad/edit/oRE0oLCtEXusRDyin7GyLGcS/'; + var parsed = Hash.isValidHref(url); + cb(!parsed); + }, "test that protocol relative URLs are rejected"); + assert(function (cb) { var keys = Block.genkeys(Nacl.randomBytes(64)); var hash = Block.getBlockHash(keys); @@ -349,7 +355,7 @@ define([ var v3 = Hash.isValidHref('/pad'); var v4 = Hash.isValidHref('/pad/'); - var res = v1 && v2 && v3 && v4; + var res = Boolean(v1 && v2 && v3 && v4); cb(res); if (!res) { console.log(v1, v2, v3, v4); @@ -361,7 +367,7 @@ define([ var v3 = Hash.isValidHref('/pad#'); // Invalid var v4 = Hash.isValidHref('/pad/#'); - var res = v1 && v2 && v3 && v4; + var res = Boolean(v1 && v2 && v3 && v4); cb(res); if (!res) { console.log(v1, v2, v3, v4); @@ -373,7 +379,7 @@ define([ var v3 = Hash.isValidHref('https://cryptpad.fr/pad/#67b8385b07352be53e40746d2be6ccd7XAYSuJYYqa9NfmInyHci7LNy'); var v4 = Hash.isValidHref('/pad/#/2/pad/edit/HGu0tK2od-2BBnwAz2ZNS-t4/p/embed'); - var res = v1 && v2 && v3 && v4; + var res = Boolean(v1 && v2 && v3 && v4); cb(res); if (!res) { console.log(v1, v2, v3, v4); diff --git a/www/common/common-hash.js b/www/common/common-hash.js index c5133fae0..afdecbf57 100644 --- a/www/common/common-hash.js +++ b/www/common/common-hash.js @@ -465,7 +465,7 @@ Version 4: Data URL when not a realtime link yet (new pad or "static" app) if (!/^https*:\/\//.test(href)) { // If it doesn't start with http(s), it should be a relative href - if (!/^\//.test(href)) { return ret; } // XXX this will allow protocol relative URLs + if (!/^\/($|[^\/])/.test(href)) { return ret; } idx = href.indexOf('/#'); ret.type = href.slice(1, idx); if (idx === -1) { return ret; }