Guard against invalid URLs

2024-11-24 10:15:37 +03:00 · 2023-12-03 20:40:00 +08:00 · 2023-12-03 20:40:00 +08:00 · cbb7378601
commit cbb7378601
parent 012e944a53
3 changed files with 28 additions and 17 deletions
--- a/src/components/link.jsx
+++ b/src/components/link.jsx
@ -22,13 +22,15 @@ const Link = forwardRef((props, ref) => {

  // Handle encodeURIComponent of searchParams values
  if (!!hash && hash !== '/' && hash.includes('?')) {
-    const parsedHash = new URL(hash, location.origin); // Fake base URL
-    if (parsedHash.searchParams.size) {
-      const searchParamsStr = Array.from(parsedHash.searchParams.entries())
-        .map(([key, value]) => `${key}=${encodeURIComponent(value)}`)
-        .join('&');
-      hash = parsedHash.pathname + '?' + searchParamsStr;
-    }
+    try {
+      const parsedHash = new URL(hash, location.origin); // Fake base URL
+      if (parsedHash.searchParams.size) {
+        const searchParamsStr = Array.from(parsedHash.searchParams.entries())
+          .map(([key, value]) => `${key}=${encodeURIComponent(value)}`)
+          .join('&');
+        hash = parsedHash.pathname + '?' + searchParamsStr;
+      }
+    } catch (e) {}
  }

  const isActive = hash === to || decodeURIComponent(hash) === to;
--- a/src/components/status.jsx
+++ b/src/components/status.jsx
@ -2269,7 +2269,12 @@ function _unfurlMastodonLink(instance, url) {
    theURL = `https://${finalURL}`;
  }

-  const urlObj = new URL(theURL);
+  let urlObj;
+  try {
+    urlObj = new URL(theURL);
+  } catch (e) {
+    return;
+  }
  const domain = urlObj.hostname;
  const path = urlObj.pathname;
  // Regex /:username/:id, where username = @username or @username@domain, id = number
--- a/src/utils/isMastodonLinkMaybe.jsx
+++ b/src/utils/isMastodonLinkMaybe.jsx
@ -1,11 +1,15 @@
 export default function isMastodonLinkMaybe(url) {
-  const { pathname, hash } = new URL(url);
-  return (
-    /^\/.*\/\d+$/i.test(pathname) ||
-    /^\/@[^/]+\/(statuses|posts)\/\w+\/?$/i.test(pathname) || // GoToSocial, Takahe
-    /^\/notes\/[a-z0-9]+$/i.test(pathname) || // Misskey, Firefish
-    /^\/notes\/[a-z0-9]+$/i.test(pathname) || // Misskey, Calckey
-    /^\/(notice|objects)\/[a-z0-9-]+$/i.test(pathname) || // Pleroma
-    /#\/[^\/]+\.[^\/]+\/s\/.+/i.test(hash) // Phanpy 🫣
-  );
+  try {
+    const { pathname, hash } = new URL(url);
+    return (
+      /^\/.*\/\d+$/i.test(pathname) ||
+      /^\/@[^/]+\/(statuses|posts)\/\w+\/?$/i.test(pathname) || // GoToSocial, Takahe
+      /^\/notes\/[a-z0-9]+$/i.test(pathname) || // Misskey, Firefish
+      /^\/notes\/[a-z0-9]+$/i.test(pathname) || // Misskey, Calckey
+      /^\/(notice|objects)\/[a-z0-9-]+$/i.test(pathname) || // Pleroma
+      /#\/[^\/]+\.[^\/]+\/s\/.+/i.test(hash) // Phanpy 🫣
+    );
+  } catch (e) {
+    return false;
+  }
 }