wuyuan/Classworks
1
0
Fork 0
mirror of https://github.com/ZeroCatDev/Classworks.git synced 2026-02-04 16:03:10 +00:00
Code Releases Activity

tighten background url validation

Browse Source 
Co-authored-by: Sunwuyuan <88357633+Sunwuyuan@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot] 2025-12-29 10:29:04 +00:00
parent 2c12051c45
commit 3d0c51dfa1
1 changed files with 10 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/pages/index.vue
View File

@ -693,7 +693,7 @@ export default {
if (!safeUrl) return { display: "none" }; if (!safeUrl) return { display: "none" };
const blur = Math.min(Math.max(this.backgroundBlurAmount, 0), 50); const blur = Math.min(Math.max(this.backgroundBlurAmount, 0), 50);
const escaped = this.cssEscape(encodeURI(safeUrl)); const escaped = this.cssEscape(safeUrl);
return { return {
backgroundImage: `url("${escaped}")`, backgroundImage: `url("${escaped}")`,
filter: `blur(${blur}px)`, filter: `blur(${blur}px)`,
@ -2218,18 +2218,12 @@ export default {
try { try {
const parsed = new URL(trimmed, window.location.origin); const parsed = new URL(trimmed, window.location.origin);
const protocol = parsed.protocol.replace(":", ""); const protocol = parsed.protocol.replace(":", "");
if (["http", "https", "blob"].includes(protocol)) return true; if (!["http", "https", "blob"].includes(protocol)) return false;
if (parsed.pathname.includes("..")) return false;
return true;
} catch (e) { } catch (e) {
// Allow relative paths return false;
if (
trimmed.startsWith("/") ||
trimmed.startsWith("./") ||
trimmed.startsWith("../")
) {
return true;
}
} }
return false;
}, },
sanitizeBackgroundUrl(url) { sanitizeBackgroundUrl(url) {
if (!this.isSafeBackgroundUrl(url)) return ""; if (!this.isSafeBackgroundUrl(url)) return "";
@ -2237,15 +2231,17 @@ export default {
const parsed = new URL(url, window.location.origin); const parsed = new URL(url, window.location.origin);
return parsed.href; return parsed.href;
} catch (e) { } catch (e) {
// Fallback for relative paths when URL parsing fails return "";
return url.replace(/[^a-zA-Z0-9-._~/:@%+#?&=]/g, "");
} }
}, },
cssEscape(value) { cssEscape(value) {
if (typeof CSS !== "undefined" && CSS.escape) { if (typeof CSS !== "undefined" && CSS.escape) {
return CSS.escape(value); return CSS.escape(value);
} }
return value.replace(/[^a-zA-Z0-9_\-]/g, (char) => `\\${char}`); return value
.replace(/["'\\]/g, "\\$&")
.replace(/[\n\r\f]/g, "")
.replace(/[^a-zA-Z0-9_\-/:.@%?#=&]/g, (char) => `\\${char}`);
}, },
safeBase64Decode(base64String) { safeBase64Decode(base64String) {