@arcblock/ux 2.10.82 → 2.10.83
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/Util/index.js +1 -0
- package/lib/Util/security.d.ts +5 -0
- package/lib/Util/security.js +34 -0
- package/package.json +5 -5
- package/src/Util/index.ts +1 -0
- package/src/Util/security.ts +45 -0
package/lib/Util/index.js
CHANGED
|
@@ -245,6 +245,7 @@ export function openWebWallet({
|
|
|
245
245
|
mergedWindowFeatures.top = winTop;
|
|
246
246
|
}
|
|
247
247
|
const strWindowFeatures = Object.keys(mergedWindowFeatures).map(key => `${key}=${mergedWindowFeatures[key]}`).join(',');
|
|
248
|
+
// 这里打开的是钱包的 URL,是安全的
|
|
248
249
|
window.open(windowUrl, 'targetWindow', strWindowFeatures);
|
|
249
250
|
return {
|
|
250
251
|
type: 'web'
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
/* eslint-disable import/prefer-default-export */
|
|
2
|
+
|
|
3
|
+
export function getSafeUrl(
|
|
4
|
+
// 只允许 / 开头, ./ 开头和带有 protocol 的 URL
|
|
5
|
+
url, {
|
|
6
|
+
returnRaw = false,
|
|
7
|
+
// 根据 URL 的规范,protocol 以 : 结尾
|
|
8
|
+
allowProtocol = ['https:', 'http:'],
|
|
9
|
+
// host 中可能会携带端口号,需要使用 hostname 来获取干净的域名
|
|
10
|
+
allowHost = [window.location.href]
|
|
11
|
+
} = {}) {
|
|
12
|
+
try {
|
|
13
|
+
let base;
|
|
14
|
+
if (url.startsWith('/')) {
|
|
15
|
+
base = window.location.origin;
|
|
16
|
+
} else if (url.startsWith('./')) {
|
|
17
|
+
base = window.location.href;
|
|
18
|
+
}
|
|
19
|
+
const urlInstance = new URL(url, base);
|
|
20
|
+
const allowHostName = allowHost ? allowHost.map(host => new URL(host).hostname) : allowHost;
|
|
21
|
+
if (allowProtocol !== null && !allowProtocol.includes(urlInstance.protocol)) {
|
|
22
|
+
console.error(`Invalid protocol: ${urlInstance.protocol}`);
|
|
23
|
+
return null;
|
|
24
|
+
}
|
|
25
|
+
if (allowHostName !== null && !allowHostName.includes(urlInstance.hostname)) {
|
|
26
|
+
console.error(`Invalid host: ${urlInstance.hostname}`);
|
|
27
|
+
return null;
|
|
28
|
+
}
|
|
29
|
+
return returnRaw ? url : urlInstance.href;
|
|
30
|
+
} catch (error) {
|
|
31
|
+
console.error(`Failed to convert url: ${url}`);
|
|
32
|
+
}
|
|
33
|
+
return null;
|
|
34
|
+
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@arcblock/ux",
|
|
3
|
-
"version": "2.10.
|
|
3
|
+
"version": "2.10.83",
|
|
4
4
|
"description": "Common used react components for arcblock products",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"react",
|
|
@@ -68,12 +68,12 @@
|
|
|
68
68
|
"react": ">=18.2.0",
|
|
69
69
|
"react-router-dom": ">=6.22.3"
|
|
70
70
|
},
|
|
71
|
-
"gitHead": "
|
|
71
|
+
"gitHead": "3dc3cfcb73c77c423d7f8d5bab93c38ddfbf55f9",
|
|
72
72
|
"dependencies": {
|
|
73
73
|
"@arcblock/did-motif": "^1.1.13",
|
|
74
|
-
"@arcblock/icons": "^2.10.
|
|
75
|
-
"@arcblock/nft-display": "^2.10.
|
|
76
|
-
"@arcblock/react-hooks": "^2.10.
|
|
74
|
+
"@arcblock/icons": "^2.10.83",
|
|
75
|
+
"@arcblock/nft-display": "^2.10.83",
|
|
76
|
+
"@arcblock/react-hooks": "^2.10.83",
|
|
77
77
|
"@babel/plugin-syntax-dynamic-import": "^7.8.3",
|
|
78
78
|
"@fontsource/inter": "^5.0.16",
|
|
79
79
|
"@fontsource/ubuntu-mono": "^5.0.18",
|
package/src/Util/index.ts
CHANGED
|
@@ -306,6 +306,7 @@ export function openWebWallet({
|
|
|
306
306
|
const strWindowFeatures = Object.keys(mergedWindowFeatures)
|
|
307
307
|
.map((key) => `${key}=${mergedWindowFeatures[key]}`)
|
|
308
308
|
.join(',');
|
|
309
|
+
// 这里打开的是钱包的 URL,是安全的
|
|
309
310
|
window.open(windowUrl, 'targetWindow', strWindowFeatures);
|
|
310
311
|
return { type: 'web' };
|
|
311
312
|
}
|
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
/* eslint-disable import/prefer-default-export */
|
|
2
|
+
|
|
3
|
+
export function getSafeUrl(
|
|
4
|
+
// 只允许 / 开头, ./ 开头和带有 protocol 的 URL
|
|
5
|
+
url: string,
|
|
6
|
+
{
|
|
7
|
+
returnRaw = false,
|
|
8
|
+
// 根据 URL 的规范,protocol 以 : 结尾
|
|
9
|
+
allowProtocol = ['https:', 'http:'],
|
|
10
|
+
// host 中可能会携带端口号,需要使用 hostname 来获取干净的域名
|
|
11
|
+
allowHost = [window.location.href],
|
|
12
|
+
}: {
|
|
13
|
+
returnRaw?: boolean;
|
|
14
|
+
// 为 null 时代表不检查 protocol
|
|
15
|
+
allowProtocol?: Array<string> | null;
|
|
16
|
+
// 为 null 时代表不检查 host
|
|
17
|
+
allowHost?: Array<string> | null;
|
|
18
|
+
} = {}
|
|
19
|
+
) {
|
|
20
|
+
try {
|
|
21
|
+
let base;
|
|
22
|
+
if (url.startsWith('/')) {
|
|
23
|
+
base = window.location.origin;
|
|
24
|
+
} else if (url.startsWith('./')) {
|
|
25
|
+
base = window.location.href;
|
|
26
|
+
}
|
|
27
|
+
|
|
28
|
+
const urlInstance = new URL(url, base);
|
|
29
|
+
const allowHostName = allowHost ? allowHost.map((host) => new URL(host).hostname) : allowHost;
|
|
30
|
+
if (allowProtocol !== null && !allowProtocol.includes(urlInstance.protocol)) {
|
|
31
|
+
console.error(`Invalid protocol: ${urlInstance.protocol}`);
|
|
32
|
+
return null;
|
|
33
|
+
}
|
|
34
|
+
if (allowHostName !== null && !allowHostName.includes(urlInstance.hostname)) {
|
|
35
|
+
console.error(`Invalid host: ${urlInstance.hostname}`);
|
|
36
|
+
return null;
|
|
37
|
+
}
|
|
38
|
+
|
|
39
|
+
return returnRaw ? url : urlInstance.href;
|
|
40
|
+
} catch (error) {
|
|
41
|
+
console.error(`Failed to convert url: ${url}`);
|
|
42
|
+
}
|
|
43
|
+
|
|
44
|
+
return null;
|
|
45
|
+
}
|