mirror of
https://github.com/overleaf/overleaf.git
synced 2024-11-21 20:47:08 -05:00
Merge pull request #2201 from overleaf/hb-relative-path-fix
Handle double slash case of safe redirect paths GitOrigin-RevId: fb6e8ea9d736a65df61f07d563235262b8aaf0f3
This commit is contained in:
parent
4cce43b8d2
commit
6c005da303
2 changed files with 5 additions and 1 deletions
|
@ -4,7 +4,7 @@ const { URL } = require('url')
|
|||
function getSafeRedirectPath(value) {
|
||||
const baseURL = Settings.siteUrl // base URL is required to construct URL from path
|
||||
const url = new URL(value, baseURL)
|
||||
let safePath = `${url.pathname}${url.search}${url.hash}`
|
||||
let safePath = `${url.pathname}${url.search}${url.hash}`.replace(/^\/+/, '/')
|
||||
if (safePath === '/') {
|
||||
safePath = undefined
|
||||
}
|
||||
|
|
|
@ -27,6 +27,10 @@ describe('UrlHelper', function() {
|
|||
'/%2F%2Fevil.com'
|
||||
)
|
||||
|
||||
expect(
|
||||
this.UrlHelper.getSafeRedirectPath('http://foo.com//evil.com/bad')
|
||||
).to.equal('/evil.com/bad')
|
||||
|
||||
return expect(this.UrlHelper.getSafeRedirectPath('.evil.com')).to.equal(
|
||||
'/.evil.com'
|
||||
)
|
||||
|
|
Loading…
Reference in a new issue