npm - @exodus/react-native-webview - Versions diffs - 11.26.1-exodus.21 → 11.26.1-exodus.22 - Mend

@exodus/react-native-webview 11.26.1-exodus.21 → 11.26.1-exodus.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/lib/WebViewShared.d.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import React from 'react';
 import { OnShouldStartLoadWithRequest, ShouldStartLoadRequestEvent, WebViewError, WebViewErrorEvent, WebViewMessageEvent, WebViewMessage, WebViewNavigationEvent, WebViewOpenWindowEvent, WebViewProgressEvent, WebViewNativeEvent } from './WebViewTypes';
 declare const defaultOriginWhitelist: readonly ["https://*"];
-declare const defaultDeeplinkWhitelist: readonly ["https://"];
+declare const defaultDeeplinkWhitelist: readonly ["https:"];
 declare const createOnShouldStartLoadWithRequest: (loadRequest: (shouldStart: boolean, url: string, lockIdentifier: number) => void, originWhitelist: readonly string[], deepLinkWhitelist: readonly string[], onShouldStartLoadWithRequest?: OnShouldStartLoadWithRequest | undefined) => ({ nativeEvent }: ShouldStartLoadRequestEvent) => void;
 declare const defaultRenderLoading: () => JSX.Element;
 declare const defaultRenderError: (errorDomain: string | undefined, errorCode: number, errorDesc: string) => JSX.Element;

package/lib/WebViewShared.js CHANGED Viewed

@@ -3,8 +3,8 @@ import React, { useCallback, useMemo, useRef, useState } from 'react';
 import { Linking, View, ActivityIndicator, Text, Platform } from 'react-native';
 import styles from './WebView.styles';
 const defaultOriginWhitelist = ['https://*'];
-const defaultDeeplinkWhitelist = ['https://'];
-const defaultDeeplinkBlocklist = [/^http:/i, /^file:/i, /^javascript:/i];
+const defaultDeeplinkWhitelist = ['https:'];
+const defaultDeeplinkBlocklist = [`http:`, `file:`, `javascript:`];
 const extractOrigin = (url) => {
     const result = /^[A-Za-z][A-Za-z0-9+\-.]+:(\/\/)?[^/]*/.exec(url);
     return result === null ? '' : result[0];
@@ -13,20 +13,36 @@ const stringWhitelistToRegex = (originWhitelist) => new RegExp(`^${escapeStringR
 const matchWithRegexList = (compiledRegexList, value) => {
     return compiledRegexList.some(x => x.test(value));
 };
-const matchWithPrefixStringList = (prefixes, value) => {
+const matchWithStringList = (prefixes, value) => {
     if (typeof value !== 'string')
         throw new Error(`value was not a string`);
-    return prefixes.some(x => String(x).length && String.prototype.startsWith.call(value, x));
+    return Array.prototype.includes.call(prefixes, value);
 };
 const _passesWhitelist = (compiledWhitelist, url) => {
     const origin = extractOrigin(url);
     if (!origin)
         return false;
-    if (origin !== new URL(url).origin)
-        return null;
+    try {
+        const decodedUrl = new URL(url);
+        if (origin !== decodedUrl.origin)
+            return null;
+    }
+    catch {
+        return false;
+    }
     return matchWithRegexList(compiledWhitelist, origin);
 };
 const compileWhitelist = (originWhitelist) => ['about:blank', ...(originWhitelist || [])].map(stringWhitelistToRegex);
+const urlToProtocolScheme = (url) => {
+    try {
+        return new URL(url).protocol;
+    }
+    catch {
+        // Protocol schemes must start with a letter and cannot start with digits, underscores etc.
+        // e.g 0invalid, _invalid, +invalid,  -invalid, .invalid will all become null
+        return null;
+    }
+};
 const createOnShouldStartLoadWithRequest = (loadRequest, originWhitelist, deepLinkWhitelist, onShouldStartLoadWithRequest) => {
     const compiledWhiteList = compileWhitelist(originWhitelist);
     return ({ nativeEvent }) => {
@@ -34,24 +50,31 @@ const createOnShouldStartLoadWithRequest = (loadRequest, originWhitelist, deepLi
         const { url, lockIdentifier, isTopFrame } = nativeEvent;
         /** Check if the url passes the origin whitelist */
         if (!_passesWhitelist(compiledWhiteList, url)) {
-            /** Check if the url passes the hardcoded deeplink blocklist */
-            const foundMatchInBlocklist = matchWithRegexList(defaultDeeplinkBlocklist, url);
-            if (!foundMatchInBlocklist) {
-                /** Check if the url passes the dynamic deeplink allow list */
-                const foundMatchInAllowlist = matchWithPrefixStringList(deepLinkWhitelist, url);
-                if (foundMatchInAllowlist) {
-                    Linking.canOpenURL(url).then((supported) => {
-                        if (supported && isTopFrame) {
-                            return Linking.openURL(url);
-                        }
-                        console.warn(`Can't open url: ${url}`);
-                        return undefined;
-                    }).catch(e => {
-                        console.warn('Error opening URL: ', e);
-                    });
+            const protocol = urlToProtocolScheme(url);
+            /* Check that the protocol was properly parsed */
+            if (protocol !== null) {
+                /** Check if the protocol passes the hardcoded deeplink blocklist */
+                const foundMatchInBlocklist = matchWithStringList(defaultDeeplinkBlocklist, protocol);
+                if (!foundMatchInBlocklist) {
+                    /** Check if the protocol passes the dynamic deeplink allow list */
+                    const foundMatchInAllowlist = matchWithStringList(deepLinkWhitelist, protocol);
+                    if (foundMatchInAllowlist) {
+                        Linking.canOpenURL(url).then((supported) => {
+                            if (supported && isTopFrame) {
+                                return Linking.openURL(url);
+                            }
+                            console.warn(`Can't open url: ${url}`);
+                            return undefined;
+                        }).catch(e => {
+                            console.warn('Error opening URL: ', e);
+                        });
+                    }
+                    else {
+                        console.warn(`Failed to pass whitelist for deep link url: ${url}`);
+                    }
                 }
                 else {
-                    console.warn(`Failed to pass default block list or whitelist deep link url: ${url}`);
+                    console.warn(`Failed to pass default block list for deep link url: ${url}`);
                 }
             }
             shouldStart = false;

package/lib/WebViewTypes.d.ts CHANGED Viewed

@@ -714,9 +714,8 @@ export interface WebViewSharedProps extends ViewProps {
      */
     readonly originWhitelist?: string[];
     /**
-     * List of prefixes to allow being deep linked to. The strings do NOT allow
-     * wildcards and get matched against the full URL using "startsWith".
-     * The default behavior is to only allow "https://".
+     * List of protocol schemes to allow being deep linked to. This requires
+     * an exact match. The default behavior is to only allow "https:".
      */
     readonly deeplinkWhitelist?: string[];
     /**

package/package.json CHANGED Viewed

@@ -9,7 +9,7 @@
     "Thibault Malbranche <malbranche.thibault@gmail.com>"
   ],
   "license": "MIT",
-  "version": "11.26.1-exodus.21",
+  "version": "11.26.1-exodus.22",
   "homepage": "https://github.com/ExodusMovement/react-native-webview#readme",
   "scripts": {
     "android": "react-native run-android",