cw2007/POSA_Copyrighter
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: reject protocol-relative and backslash URLs in safeUrl

Browse source 
Address commit security review: the same-origin branch of safeUrl accepted
//host and /\host, which browsers normalize to an external host (open
redirect). Allow only true same-origin paths.
This commit is contained in:
유창욱 2026-06-20 18:47:13 +09:00
parent f8aa10f91b
commit 7317bfb2b3
1 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
web/operator-gui/app.js
View file

@ -551,7 +551,11 @@ function safeUrl(value) {
const url = String(value || "").trim();
if (/^https?:\/\//i.test(url) || url.startsWith("/")) {
// Same-origin path, but reject protocol-relative ("//host") and backslash
// ("/\\host") forms that browsers normalize to an external host.
const isSameOriginPath = url.startsWith("/") && !url.startsWith("//") && !url.startsWith("/\\");
if (/^https?:\/\//i.test(url) || isSameOriginPath) {
return url;