JS-5672: fix

anyproto · Jan 15, 2025 · 7025256 · 7025256
1 parent d355723
commit 7025256
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 7 deletions.
diff --git a/src/json/constant.ts b/src/json/constant.ts
@@ -12,7 +12,7 @@ export default {
 	textColor:			 [ 'grey', 'yellow', 'orange', 'red', 'pink', 'purple', 'blue', 'ice', 'teal', 'lime' ],
 	namespace:			 { 0: '.any' },
 
-	allowedSchemes:		 [ 'https?', 'mailto', 'tel' ],
+	allowedSchemes:		 [ 'http', 'https', 'mailto', 'tel' ],
 
 	count: {
 		icon:			 10,

diff --git a/src/json/text.json b/src/json/text.json
@@ -1092,7 +1092,7 @@
 	"popupConfirmActionReconcileText": "This operation will clean up the incorrectly occupied space in the remote file storage. Are you sure?",
 
 	"popupConfirmOpenExternalLinkTitle": "Are you sure?",
-	"popupConfirmOpenExternalLinkText": "You are trying to open url that is potentially harmful. Are you sure you want to proceed?",
+	"popupConfirmOpenExternalLinkText": "You are trying to open url that is potentially harmful. Are you sure you want to proceed?<br/>Url: %s",
 
 	"popupConfirmChatDeleteMessageTitle": "Delete this message?",
 	"popupConfirmChatDeleteMessageText": "It cannot be restored after confirmation",

diff --git a/src/ts/lib/action.ts b/src/ts/lib/action.ts
@@ -171,19 +171,33 @@ class Action {
 
 		url = U.Common.urlFix(url);
 
-		const storageKey = 'openUrl';
 		const scheme = U.Common.getScheme(url);
 		const cb = () => Renderer.send('openUrl', url);
 		const allowedSchemes = J.Constant.allowedSchemes.concat(J.Constant.protocol);
-		const isAllowed = scheme.match(new RegExp(`^(${allowedSchemes.join('|')})$`));
-
-		if (!Storage.get(storageKey) && !isAllowed) {
+		const isAllowed = allowedSchemes.includes(scheme);
+		const isDangerous = [ 
+			'javascript', 
+			'data', 
+			'data', 
+			'ws', 
+			'wss', 
+			'chrome', 
+			'about', 
+			'ssh', 
+			'blob',
+			'ms-msdt',
+			'search-ms',
+			'ms-officecmd',
+		].includes(scheme);
+		const storageKey = isDangerous ? '' : 'openUrl';
+
+		if (isDangerous || (!Storage.get(storageKey) && !isAllowed)) {
 			S.Popup.open('confirm', {
 				data: {
 					icon: 'confirm',
 					bgColor: 'red',
 					title: translate('popupConfirmOpenExternalLinkTitle'),
-					text: translate('popupConfirmOpenExternalLinkText'),
+					text: U.Common.sprintf(translate('popupConfirmOpenExternalLinkText'), U.Common.shorten(url, 120)),
 					textConfirm: translate('commonYes'),
 					storageKey,
 					onConfirm: () => cb(),