jollywhoppers.com / witchsky.app
Bluesky app fork with some witchin' additions ๐Ÿ’ซ witchsky.app
bluesky fork
fork atom

Make any URI validate for RichText facet rendering #61

merged opened by hatlink.bsky.social targeting main from hatlink.bsky.social/witchsky.app: steam-validate

This pr allows the witchsky app to render any link facet that even resembles a URI, except for javascript due to XSS

Composer facet detection is still handled by @atproto/api which means facets have to be created manually (/xrpc/com.atproto.repo.createRecord or using PDSls), Profile website is fetched using /xrpc/app.bsky.actor.getProfile which does not return a website field with any URI (using the Bluesky PDS) meaning it would have to be fetched seperatly TLDR: renders almost any link except javascript,

Tests: tested regex with results https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:iif6bnwns5ikitrpwvlz2eo5/bafkreiam3mexbusg5bususfud2jdf2t3dhbtzs3ckvpqh67kqearmarxq4

(Resubmission of #59 because i fucked up (forgot) updating the feature brach resulting in a giant round that lagged my whole system, sorry, this time it should probably proper)

Labels

None yet.

assignee

None yet.

Participants 1
AT URI
at://did:plc:iif6bnwns5ikitrpwvlz2eo5/sh.tangled.repo.pull/3meo6ducggr22
+3 -3
Diff #0
unified split
+1 -1
src/components/RichText.tsx
··· 13 13 const WORD_WRAP = {wordWrap: 1} 14 14 // lifted from facet detection in `RichText` impl, _without_ `gm` flags 15 15 const URL_REGEX = 16 - /(^|\s|\()((https?:\/\/[\S]+)|((?<domain>[a-z][a-z0-9]*(\.[a-z0-9]+)+)[\S]*))/i 16 + /(^|\s|\()(?!javascript:)([a-z][a-z0-9+.-]*:\/\/[\S]+|(?:[a-z0-9]+\.)+[a-z0-9]+(:[0-9]+)?[\S]*|[a-z][a-z0-9+.-]*:[^\s()]+)/i 17 17 18 18 export type RichTextProps = TextStyleProp & 19 19 Pick<TextProps, 'selectable' | 'onLayout' | 'onTextLayout'> & {
+2 -2
src/lib/strings/website.ts
··· 4 4 5 5 export function sanitizeWebsiteForLink(website: string): string { 6 6 const normalized = website.toLowerCase() 7 - return normalized.startsWith('https') 7 + return !normalized.startsWith('javascript') 8 8 ? normalized 9 - : `https://${website.toLowerCase()}` 9 + : `unsafe-${website}` 10 10 } 11 11 12 12 export function isValidWebsiteFormat(website: string): boolean {

History

1 round 0 comments
sign up or login to add to the discussion
hatlink.bsky.social submitted #0
2 commits
expand
f7d4ee57
add steam uri to regex and make steam uri sanatize
302d48fc
update: allow anything excpet javascript, even ip addresses
expand 0 comments
pull request successfully merged