fix: Solve codeql security issues

Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>

src/components/render-page/window-post-message-communicator/window-post-message-communicator.ts

@@ -151,6 +151,9 @@ export abstract class WindowPostMessageCommunicator<
    * @return {@link true} if the event was processed.
    */
   protected handleEvent(event: MessageEvent<MessagePayloadWithUuid<RECEIVE_TYPE>>): void {
+    if (event.origin !== this.targetOrigin) {
+      return
+    }
     Optional.ofNullable(event.data)
       .filter((value) => value.uuid === this.uuid)
       .ifPresent((payload) => {

src/extensions/extra-integrations/gist/replace-gist-link.ts

@@ -7,12 +7,7 @@
 import { GistMarkdownExtension } from './gist-markdown-extension'
 import type { RegexOptions } from '../../../external-types/markdown-it-regex/interface'
 
-const protocolRegex = /(?:http(?:s)?:\/\/)?/
-const domainRegex = /(?:gist\.github\.com\/)/
-const idRegex = /(\w+\/\w+)/
-const tailRegex = /(?:[./?#].*)?/
-const gistUrlRegex = new RegExp(`(?:${protocolRegex.source}${domainRegex.source}${idRegex.source}${tailRegex.source})`)
-const linkRegex = new RegExp(`^${gistUrlRegex.source}$`, 'i')
+const linkRegex = /^(?:https?:\/\/)?gist\.github\.com\/(\w+\/\w+)(?:[./?#].*)?$/i
 
 /**
  * Replacer for gist links.

src/extensions/extra-integrations/vimeo/__snapshots__/vimeo-frame.test.tsx.snap

@@ -10,8 +10,8 @@ exports[`VimeoFrame renders a click shield 1`] = `
       <iframe
         allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture"
         class="embed-responsive-item"
-        src="https://player.vimeo.com/video/valid vimeo id?autoplay=1"
-        title="vimeo video of valid vimeo id"
+        src="https://player.vimeo.com/video/validVimeoId?autoplay=1"
+        title="vimeo video of validVimeoId"
       />
     </span>
   </span>

src/extensions/extra-integrations/vimeo/replace-vimeo-link.ts

@@ -9,14 +9,8 @@ import type MarkdownIt from 'markdown-it'
 import markdownItRegex from 'markdown-it-regex'
 import type { RegexOptions } from '../../../external-types/markdown-it-regex/interface'
 
-const protocolRegex = /(?:http(?:s)?:\/\/)?/
-const domainRegex = /(?:player\.)?(?:vimeo\.com\/)(?:(?:channels|album|ondemand|groups)\/\w+\/)?(?:video\/)?/
-const idRegex = /(\d{6,11})/
-const tailRegex = /(?:[?#].*)?/
-const vimeoVideoUrlRegex = new RegExp(
-  `(?:${protocolRegex.source}${domainRegex.source}${idRegex.source}${tailRegex.source})`
-)
-const linkRegex = new RegExp(`^${vimeoVideoUrlRegex.source}$`, 'i')
+const linkRegex =
+  /^(?:https?:\/\/)?(?:player\.)?vimeo\.com\/(?:(?:channels|album|ondemand|groups)\/\w+\/)?(?:video\/)?(\d{6,11})(?:[?#].*)?$/i
 
 const replaceVimeoLink: RegexOptions = {
   name: 'vimeo-link',

src/extensions/extra-integrations/vimeo/vimeo-frame.test.tsx

@@ -19,7 +19,7 @@ describe('VimeoFrame', () => {
   })
 
   it('renders a click shield', () => {
-    const view = render(<VimeoFrame id={'valid vimeo id'} />)
+    const view = render(<VimeoFrame id={'validVimeoId'} />)
     expect(view.container).toMatchSnapshot()
   })
 })

src/extensions/extra-integrations/youtube/__snapshots__/youtube-frame.test.tsx.snap

@@ -10,8 +10,8 @@ exports[`YoutubeFrame renders a click shield 1`] = `
       <iframe
         allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture"
         class="embed-responsive-item"
-        src="https://www.youtube-nocookie.com/embed/valid youtube id?autoplay=1"
-        title="youtube video of valid youtube id"
+        src="https://www.youtube-nocookie.com/embed/validYoutubeId?autoplay=1"
+        title="youtube video of validYoutubeId"
       />
     </span>
   </span>

src/extensions/extra-integrations/youtube/replace-youtube-link.test.ts

@@ -34,17 +34,17 @@ describe('Replace youtube link', () => {
           })
 
           it("won't detect an invalid(too short) youtube id", () => {
-            const invalidUrl = '${origin}?v=1'
+            const invalidUrl = `${origin}?v=1`
             expect(markdownIt.renderInline(invalidUrl)).toBe(invalidUrl)
           })
 
           it("won't detect an invalid(invalid characters) youtube id", () => {
-            const invalidUrl = '${origin}?v= /!#/'
+            const invalidUrl = `${origin}?v= /!#/`
             expect(markdownIt.renderInline(invalidUrl)).toBe(invalidUrl)
           })
 
           it("won't detect an invalid(too long) youtube id", () => {
-            const invalidUrl = '${origin}?v=111111111111111111111111111111111'
+            const invalidUrl = `${origin}?v=111111111111111111111111111111111`
             expect(markdownIt.renderInline(invalidUrl)).toBe(invalidUrl)
           })
         })

src/extensions/extra-integrations/youtube/replace-youtube-link.ts

@@ -9,15 +9,8 @@ import markdownItRegex from 'markdown-it-regex'
 import type MarkdownIt from 'markdown-it'
 import type { RegexOptions } from '../../../external-types/markdown-it-regex/interface'
 
-const protocolRegex = /(?:http(?:s)?:\/\/)?/
-const subdomainRegex = /(?:www.)?/
-const pathRegex = /(?:youtube(?:-nocookie)?\.com\/(?:[^\\/]+\/.+\/|(?:v|e(?:mbed)?)\/|.*[?&]v=)|youtu\.be\/)/
-const idRegex = /([\w-]{11})/
-const tailRegex = /(?:[?&#].*)?/
-const youtubeVideoUrlRegex = new RegExp(
-  `(?:${protocolRegex.source}${subdomainRegex.source}${pathRegex.source}${idRegex.source}${tailRegex.source})`
-)
-const linkRegex = new RegExp(`^${youtubeVideoUrlRegex.source}$`, 'i')
+const linkRegex =
+  /^(?:https?:\/\/)?(?:www.)?(?:youtube(?:-nocookie)?\.com\/(?:[^\\/]+\/.+\/|(?:v|e(?:mbed)?)\/|.*[?&]v=)|youtu\.be\/)([\w-]{11})(?:[?&#].*)?$/i
 
 /**
  * Replacer for youtube links.

src/extensions/extra-integrations/youtube/youtube-frame.test.tsx

@@ -19,7 +19,7 @@ describe('YoutubeFrame', () => {
   })
 
   it('renders a click shield', () => {
-    const view = render(<YouTubeFrame id={'valid youtube id'} />)
+    const view = render(<YouTubeFrame id={'validYoutubeId'} />)
     expect(view.container).toMatchSnapshot()
   })
 })