@arcblock/ux 2.10.84 → 2.10.86

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/lib/Util/security.d.ts +8 -6
  2. package/lib/Util/security.js +16 -4
  3. package/package.json +5 -5
  4. package/src/Util/security.ts +22 -7
package/lib/Util/security.d.ts CHANGED
@@ -1,6 +1,8 @@
1
- export declare function getSafeUrl(url: string, { throwOnError, returnRaw, allowProtocol, allowHost, }?: {
2
- throwOnError?: boolean | undefined;
3
- returnRaw?: boolean | undefined;
4
- allowProtocol?: string[] | undefined;
5
- allowHost?: string[] | undefined;
6
- }): string | null;
1
+ type GetSafeUrlOptions = {
2
+ returnRaw?: boolean;
3
+ throwOnError?: Boolean;
4
+ allowProtocols?: Array<string> | null;
5
+ allowDomains?: Array<string> | null;
6
+ };
7
+ export declare function getSafeUrl(url: string, { throwOnError, returnRaw, allowProtocols, allowDomains, }?: GetSafeUrlOptions): string | null;
8
+ export {};
package/lib/Util/security.js CHANGED
@@ -7,10 +7,15 @@ url, {
7
7
  throwOnError = true,
8
8
  returnRaw = false,
9
9
  // 根据 URL 的规范,protocol 以 : 结尾
10
- allowProtocol = ['https:', 'http:'],
10
+ allowProtocols = ['https:', 'http:'],
11
11
  // host 中可能会携带端口号,需要使用 hostname 来获取干净的域名
12
- allowHost = [window.location.href]
12
+ allowDomains = undefined
13
13
  } = {}) {
14
+ if (allowDomains === undefined) {
15
+ // eslint-disable-next-line no-param-reassign
16
+ allowDomains = window.blocklet?.domainAliases || [];
17
+ allowDomains.push(window.location.href);
18
+ }
14
19
  try {
15
20
  let base;
16
21
  if (url.startsWith('/')) {
@@ -19,8 +24,15 @@ url, {
19
24
  base = window.location.href;
20
25
  }
21
26
  const urlInstance = new URL(url, base);
22
- const allowHostName = allowHost ? allowHost.map(host => new URL(host).hostname) : allowHost;
23
- if (allowProtocol !== null && !allowProtocol.includes(urlInstance.protocol)) {
27
+ const allowHostName = allowDomains ? allowDomains.map(host => {
28
+ try {
29
+ return new URL(host).hostname;
30
+ } catch {
31
+ // HACK: 如果传入的 allowDomains 不包含协议,则尝试为它添加协议头
32
+ return new URL(`https://${host}`).hostname;
33
+ }
34
+ }) : allowDomains;
35
+ if (allowProtocols !== null && !allowProtocols.includes(urlInstance.protocol)) {
24
36
  console.error(`Invalid protocol: ${urlInstance.protocol}`);
25
37
  if (throwOnError) throw new CustomError(`Invalid protocol: ${urlInstance.protocol}`);
26
38
  return null;
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@arcblock/ux",
3
- "version": "2.10.84",
3
+ "version": "2.10.86",
4
4
  "description": "Common used react components for arcblock products",
5
5
  "keywords": [
6
6
  "react",
@@ -68,12 +68,12 @@
68
68
  "react": ">=18.2.0",
69
69
  "react-router-dom": ">=6.22.3"
70
70
  },
71
- "gitHead": "1311dd7d9ce3a6b0164404de828e64dcd900ce6d",
71
+ "gitHead": "bc6f365772401070c253a364abad0269479d5bff",
72
72
  "dependencies": {
73
73
  "@arcblock/did-motif": "^1.1.13",
74
- "@arcblock/icons": "^2.10.84",
75
- "@arcblock/nft-display": "^2.10.84",
76
- "@arcblock/react-hooks": "^2.10.84",
74
+ "@arcblock/icons": "^2.10.86",
75
+ "@arcblock/nft-display": "^2.10.86",
76
+ "@arcblock/react-hooks": "^2.10.86",
77
77
  "@babel/plugin-syntax-dynamic-import": "^7.8.3",
78
78
  "@fontsource/inter": "^5.0.16",
79
79
  "@fontsource/ubuntu-mono": "^5.0.18",
package/src/Util/security.ts CHANGED
@@ -4,9 +4,9 @@ type GetSafeUrlOptions = {
4
4
  returnRaw?: boolean;
5
5
  throwOnError?: Boolean;
6
6
  // 为 null 时代表不检查 protocol
7
- allowProtocol?: Array<string> | null;
7
+ allowProtocols?: Array<string> | null;
8
8
  // 为 null 时代表不检查 host
9
- allowHost?: Array<string> | null;
9
+ allowDomains?: Array<string> | null;
10
10
  };
11
11
 
12
12
  class CustomError extends Error {}
@@ -18,11 +18,16 @@ export function getSafeUrl(
18
18
  throwOnError = true,
19
19
  returnRaw = false,
20
20
  // 根据 URL 的规范,protocol 以 : 结尾
21
- allowProtocol = ['https:', 'http:'],
21
+ allowProtocols = ['https:', 'http:'],
22
22
  // host 中可能会携带端口号,需要使用 hostname 来获取干净的域名
23
- allowHost = [window.location.href],
24
- } = {}
23
+ allowDomains = undefined,
24
+ }: GetSafeUrlOptions = {}
25
25
  ) {
26
+ if (allowDomains === undefined) {
27
+ // eslint-disable-next-line no-param-reassign
28
+ allowDomains = window.blocklet?.domainAliases || [];
29
+ (allowDomains as unknown as Array<String>).push(window.location.href);
30
+ }
26
31
  try {
27
32
  let base;
28
33
  if (url.startsWith('/')) {
@@ -32,8 +37,18 @@ export function getSafeUrl(
32
37
  }
33
38
 
34
39
  const urlInstance = new URL(url, base);
35
- const allowHostName = allowHost ? allowHost.map((host) => new URL(host).hostname) : allowHost;
36
- if (allowProtocol !== null && !allowProtocol.includes(urlInstance.protocol)) {
40
+ const allowHostName = allowDomains
41
+ ? (allowDomains as Array<string>).map((host) => {
42
+ try {
43
+ return new URL(host).hostname;
44
+ } catch {
45
+ // HACK: 如果传入的 allowDomains 不包含协议,则尝试为它添加协议头
46
+ return new URL(`https://${host}`).hostname;
47
+ }
48
+ })
49
+ : (allowDomains as unknown as null);
50
+
51
+ if (allowProtocols !== null && !allowProtocols.includes(urlInstance.protocol)) {
37
52
  console.error(`Invalid protocol: ${urlInstance.protocol}`);
38
53
  if (throwOnError) throw new CustomError(`Invalid protocol: ${urlInstance.protocol}`);
39
54
  return null;