feed: show picture (kind 0) with noyx

Loading images from random url leaks meta data to other servers.

Enabled showing kind 0 picture from noxy (nostr proxy),
see https://git.qcode.ch/nostr/noxy

Only href that are a valid url and use http(s) should be allowed
to prevent malicious urls such as 'javascript:alert(1)'.

Kept the fallback to the speak bubble if there is no kind 0 event
for this pubkey or picture is missing.
OFF0 2 years ago
parent 6a4266526d
commit fecbb8ff50
Signed by: offbyn
GPG Key ID: 94A2F643C51F37FA

@ -31,6 +31,9 @@
position: relative; position: relative;
z-index: 2; z-index: 2;
} }
.mbox-img img {
max-width: 100%;
}
.mbox-updated-contact .mbox-img, .mbox-updated-contact .mbox-img,
.mbox-recommend-server .mbox-img { .mbox-recommend-server .mbox-img {

@ -52,7 +52,7 @@ const subscription = pool.sub({
// '32e1827635450ebb3c5a7d12c1f8e7b2b514439ac10a67eef3d9fd9c5c68e245', // jb55 // '32e1827635450ebb3c5a7d12c1f8e7b2b514439ac10a67eef3d9fd9c5c68e245', // jb55
// ], // ],
// since: new Date(Date.now() - (24 * 60 * 60 * 1000)), // since: new Date(Date.now() - (24 * 60 * 60 * 1000)),
limit: 500, limit: 750,
} }
}); });
@ -318,11 +318,24 @@ function handleMetadata(evt, relay) {
} }
} }
const getNoxyUrl = (id, relay, url) => {
if (!isHttpUrl(url)) {
return false;
}
const picture = new URL('https://noxy.nostr.ch/data');
picture.searchParams.set('id', id);
picture.searchParams.set('relay', relay);
picture.searchParams.set('url', url);
return picture.href;
}
function setMetadata(evt, relay, content) { function setMetadata(evt, relay, content) {
const user = userList.find(u => u.pubkey === evt.pubkey); const user = userList.find(u => u.pubkey === evt.pubkey);
const picture = getNoxyUrl(evt.id, relay, content.picture);
if (!user) { if (!user) {
userList.push({ userList.push({
metadata: {[relay]: content}, metadata: {[relay]: content},
...(content.picture && {picture}),
pubkey: evt.pubkey, pubkey: evt.pubkey,
}); });
} else { } else {
@ -331,6 +344,9 @@ function setMetadata(evt, relay, content) {
timestamp: evt.created_at, timestamp: evt.created_at,
...content, ...content,
}; };
if (!user.picture) {
user.picture = picture;
} // no support (yet) for other picture from same pubkey on different relays
} }
// if (tempContactList[relay]) { // if (tempContactList[relay]) {
// const updates = tempContactList[relay].filter(update => update.pubkey === evt.pubkey); // const updates = tempContactList[relay].filter(update => update.pubkey === evt.pubkey);
@ -340,6 +356,14 @@ function setMetadata(evt, relay, content) {
// } // }
} }
function isHttpUrl(string) {
try {
return ['http:', 'https:'].includes(new URL(string).protocol);
} catch (err) {
return false;
}
}
const getHost = (url) => { const getHost = (url) => {
try { try {
return new URL(url).host; return new URL(url).host;
@ -351,7 +375,7 @@ const getHost = (url) => {
function getMetadata(evt, relay) { function getMetadata(evt, relay) {
const host = getHost(relay); const host = getHost(relay);
const user = userList.find(user => user.pubkey === evt.pubkey); const user = userList.find(user => user.pubkey === evt.pubkey);
const userImg = /*user?.metadata[relay]?.picture || */'assets/bubble.svg'; // TODO: enable pic once we have proxy const userImg = user?.picture || 'assets/bubble.svg';
const userName = user?.metadata[relay]?.name || evt.pubkey.slice(0, 8); const userName = user?.metadata[relay]?.name || evt.pubkey.slice(0, 8);
const userAbout = user?.metadata[relay]?.about || ''; const userAbout = user?.metadata[relay]?.about || '';
const img = elem('img', { const img = elem('img', {

Loading…
Cancel
Save