rewritable 0.8.0 → 0.8.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/seeds/rewritable.html +13 -1
package/package.json
CHANGED
package/seeds/rewritable.html
CHANGED
|
@@ -1329,9 +1329,21 @@ function workspacePeerKnown(peer, known) {
|
|
|
1329
1329
|
return !!(peer && ((peer.uuid && known.has('uuid:' + peer.uuid)) || (peer.file && known.has('file:' + peer.file))));
|
|
1330
1330
|
}
|
|
1331
1331
|
|
|
1332
|
+
function safeWorkspaceHref(url) {
|
|
1333
|
+
// peer.url arrives over the public presence bus from another page in the origin,
|
|
1334
|
+
// so it is untrusted. escRuntimeHtml blocks attribute breakout but NOT a
|
|
1335
|
+
// `javascript:`/`data:` scheme, which would execute on click. Resolve and accept
|
|
1336
|
+
// only navigable web/file schemes; fall back to '#' for anything else or unparsable.
|
|
1337
|
+
try {
|
|
1338
|
+
const u = new URL(url, location.href);
|
|
1339
|
+
if (u.protocol === 'http:' || u.protocol === 'https:' || u.protocol === 'file:') return u.href;
|
|
1340
|
+
} catch (_) {}
|
|
1341
|
+
return '#';
|
|
1342
|
+
}
|
|
1343
|
+
|
|
1332
1344
|
function workspacePresenceCard(peer, known) {
|
|
1333
1345
|
const isKnown = workspacePeerKnown(peer, known);
|
|
1334
|
-
const href = peer.url
|
|
1346
|
+
const href = safeWorkspaceHref(peer.url);
|
|
1335
1347
|
const aff = peer.affordances && peer.affordances.length ? peer.affordances.map(a => a.kind).join(', ') : 'baseline';
|
|
1336
1348
|
return '<a class="rwa-ws-card rwa-ws-live-card" href="' + escRuntimeHtml(href) + '">' +
|
|
1337
1349
|
'<span class="rwa-ws-kind">' + escRuntimeHtml(peer.kind || 'document') + '</span>' +
|