fix(desktop): validate URL schemes before shell.openExternal
This commit is contained in:
parent
23de2197fd
commit
b9d4d5e4ac
|
|
@ -20,10 +20,24 @@ function createWindow() {
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
// Open external links in the browser
|
// Open external links in the browser, but only allow protocols
|
||||||
|
// that the TipTap editor also allows (see frontend/src/components/input/editor/TipTap.vue).
|
||||||
|
// TipTap allows: http, https (built-in) + ftp, git, obsidian, notion, message
|
||||||
|
// We also allow mailto since it's a standard safe protocol for email links.
|
||||||
mainWindow.webContents.setWindowOpenHandler(({ url }) => {
|
mainWindow.webContents.setWindowOpenHandler(({ url }) => {
|
||||||
shell.openExternal(url);
|
try {
|
||||||
return { action: 'deny' };
|
const parsedUrl = new URL(url);
|
||||||
|
const allowedProtocols = [
|
||||||
|
'http:', 'https:', 'mailto:',
|
||||||
|
'ftp:', 'git:', 'obsidian:', 'notion:', 'message:',
|
||||||
|
];
|
||||||
|
if (allowedProtocols.includes(parsedUrl.protocol)) {
|
||||||
|
shell.openExternal(url);
|
||||||
|
}
|
||||||
|
} catch {
|
||||||
|
// Invalid URL, ignore silently
|
||||||
|
}
|
||||||
|
return { action: 'deny' };
|
||||||
});
|
});
|
||||||
|
|
||||||
// Hide the toolbar
|
// Hide the toolbar
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue