diff --git a/www/support/ui.js b/www/support/ui.js index ce3f09702..454dddcfc 100644 --- a/www/support/ui.js +++ b/www/support/ui.js @@ -179,8 +179,6 @@ define([ }).on('change', function (e) { var files = Util.slice(e.target.files); files.forEach(function (file) { - // XXX validate that the href is hosted on the same instance - // use relative URLs or compare it against a list or allowed domains? var ev = {}; ev.callback = function (data) { var x, a; @@ -321,10 +319,11 @@ define([ var attachments = (content.attachments || []).map(function (obj) { if (!obj || !obj.name || !obj.href) { return; } + // only support files explicitly beginning with /file/ so that users can't link outside of the instance + if (!/^\/file\//.test(obj.href)) { return; } var a = h('a', { href: '#' }, obj.name); - // XXX disallow remote URLs $(a).click(function (e) { e.preventDefault(); ctx.common.openURL(obj.href);