paradizelost/paperless-ngx
1
0
Fork 0
mirror of https://github.com/paperless-ngx/paperless-ngx.git synced 2025-12-22 01:55:49 -06:00
Code Issues Packages Projects Releases Wiki Activity

Chore: harden SafeUrlPipe

Browse Source
This commit is contained in:
shamoon
2025-12-18 06:30:58 -08:00
parent d8397ac77e
commit 84c59f45da
2 changed files with 49 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
src-ui/src/app/pipes/safeurl.pipe.ts
View File

@@ -1,5 +1,6 @@
import { Pipe, PipeTransform, inject } from '@angular/core'
import { DomSanitizer } from '@angular/platform-browser'
import { environment } from 'src/environments/environment'
@Pipe({
name: 'safeUrl',
@@ -7,11 +8,23 @@ import { DomSanitizer } from '@angular/platform-browser'
export class SafeUrlPipe implements PipeTransform {
private sanitizer = inject(DomSanitizer)
transform(url) {
if (url == null) {
transform(url: string | null) {
if (!url) return this.sanitizer.bypassSecurityTrustResourceUrl('')
try {
const parsed = new URL(url, window.location.origin)
const allowedOrigins = new Set([
window.location.origin,
new URL(environment.apiBaseUrl).origin,
])
const isHttp = ['http:', 'https:'].includes(parsed.protocol)
const originAllowed = allowedOrigins.has(parsed.origin)
if (!isHttp || !originAllowed) {
return this.sanitizer.bypassSecurityTrustResourceUrl('')
}
return this.sanitizer.bypassSecurityTrustResourceUrl(parsed.toString())
} catch {
return this.sanitizer.bypassSecurityTrustResourceUrl('')
} else {
return this.sanitizer.bypassSecurityTrustResourceUrl(url)
}
}
}