From df8e0ba9234715d5d274613cbef909c22a2632c5 Mon Sep 17 00:00:00 2001 From: Cohee <18619528+Cohee1207@users.noreply.github.com> Date: Tue, 10 Dec 2024 00:01:54 +0200 Subject: [PATCH] Don't insert non-HTTP links to extension origin --- public/scripts/extensions.js | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/public/scripts/extensions.js b/public/scripts/extensions.js index 845a7c70f..c73a1fa27 100644 --- a/public/scripts/extensions.js +++ b/public/scripts/extensions.js @@ -1068,7 +1068,7 @@ async function checkForUpdatesManual(abortSignal) { try { const data = await getExtensionVersion(externalId, abortSignal); const extensionBlock = document.querySelector(`.extension_block[data-name="${externalId}"]`); - if (extensionBlock) { + if (extensionBlock && data) { if (data.isUpToDate === false) { const buttonElement = extensionBlock.querySelector('.btn_update'); if (buttonElement) { @@ -1085,9 +1085,17 @@ async function checkForUpdatesManual(abortSignal) { const originLink = extensionBlock.querySelector('a'); if (originLink) { - originLink.href = origin; - originLink.target = '_blank'; - originLink.rel = 'noopener noreferrer'; + try { + const url = new URL(origin); + if (!['https:', 'http:'].includes(url.protocol)) { + throw new Error('Invalid protocol'); + } + originLink.href = url.href; + originLink.target = '_blank'; + originLink.rel = 'noopener noreferrer'; + } catch (error) { + console.log('Error setting origin link', originLink, error); + } } const versionElement = extensionBlock.querySelector('.extension_version');