diff --git a/website/client/package-lock.json b/website/client/package-lock.json index 802bfc55abc..59e71df90e9 100644 --- a/website/client/package-lock.json +++ b/website/client/package-lock.json @@ -23,7 +23,6 @@ "bootstrap": "^4.6.0", "bootstrap-vue": "^2.23.1", "core-js": "^3.33.1", - "dompurify": "^3.0.3", "eslint": "7.32.0", "eslint-config-habitrpg": "6.2.0", "eslint-plugin-mocha": "5.3.0", @@ -5389,11 +5388,6 @@ "url": "https://github.com/fb55/domhandler?sponsor=1" } }, - "node_modules/dompurify": { - "version": "3.0.6", - "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.0.6.tgz", - "integrity": "sha512-ilkD8YEnnGh1zJ240uJsW7AzE+2qpbOUYjacomn3AvJ6J4JhKGSZ2nh4wUIXPZrEPppaCLx5jFe8T89Rk8tQ7w==" - }, "node_modules/domutils": { "version": "2.8.0", "resolved": "https://registry.npmjs.org/domutils/-/domutils-2.8.0.tgz", diff --git a/website/client/package.json b/website/client/package.json index 92c04009696..e19536a787e 100644 --- a/website/client/package.json +++ b/website/client/package.json @@ -25,7 +25,6 @@ "bootstrap": "^4.6.0", "bootstrap-vue": "^2.23.1", "core-js": "^3.33.1", - "dompurify": "^3.0.3", "eslint": "7.32.0", "eslint-config-habitrpg": "6.2.0", "eslint-plugin-mocha": "5.3.0", diff --git a/website/client/src/components/auth/registerLoginReset.vue b/website/client/src/components/auth/registerLoginReset.vue index a5d2b9ea154..5559d62f6b4 100644 --- a/website/client/src/components/auth/registerLoginReset.vue +++ b/website/client/src/components/auth/registerLoginReset.vue @@ -608,10 +608,9 @@ import axios from 'axios'; import hello from 'hellojs'; import debounce from 'lodash/debounce'; import isEmail from 'validator/es/lib/isEmail'; -import DOMPurify from 'dompurify'; import { MINIMUM_PASSWORD_LENGTH } from '@/../../common/script/constants'; import { buildAppleAuthUrl } from '../../libs/auth'; - +import sanitizeRedirect from '@/mixins/sanitizeRedirect'; import exclamation from '@/assets/svg/exclamation.svg'; import gryphon from '@/assets/svg/gryphon.svg'; import habiticaIcon from '@/assets/svg/logo-horizontal.svg'; @@ -619,6 +618,7 @@ import googleIcon from '@/assets/svg/google.svg'; import appleIcon from '@/assets/svg/apple_black.svg'; export default { + mixins: [sanitizeRedirect], data () { const data = { username: '', @@ -747,11 +747,6 @@ export default { } }); }, 500), - sanitizeRedirect (redirect) { - if (!redirect) return '/'; - const sanitizedString = DOMPurify.sanitize(redirect).replace(/\\|\/\/|\./g, ''); - return sanitizedString; - }, async register () { // @TODO do not use alert if (!this.email) { diff --git a/website/client/src/components/static/home.vue b/website/client/src/components/static/home.vue index f6a15018a91..89f17756b21 100644 --- a/website/client/src/components/static/home.vue +++ b/website/client/src/components/static/home.vue @@ -784,6 +784,7 @@ import debounce from 'lodash/debounce'; import isEmail from 'validator/es/lib/isEmail'; import { MINIMUM_PASSWORD_LENGTH } from '@/../../common/script/constants'; import { buildAppleAuthUrl } from '../../libs/auth'; +import sanitizeRedirect from '@/mixins/sanitizeRedirect'; import googlePlay from '@/assets/images/home/google-play-badge.svg'; import iosAppStore from '@/assets/images/home/ios-app-store.svg'; import iphones from '@/assets/images/home/iphones.svg'; @@ -804,6 +805,7 @@ import makeuseof from '@/assets/images/home/make-use-of.svg'; import thenewyorktimes from '@/assets/images/home/the-new-york-times.svg'; export default { + mixins: [sanitizeRedirect], data () { return { icons: Object.freeze({ @@ -923,7 +925,9 @@ export default { groupInvite, }); - window.location.href = this.$route.query.redirectTo || '/'; + const redirect = this.sanitizeRedirect(this.$route.query.redirectTo); + + window.location.href = redirect; }, playButtonClick () { this.$router.push('/register'); diff --git a/website/client/src/mixins/sanitizeRedirect.js b/website/client/src/mixins/sanitizeRedirect.js new file mode 100644 index 00000000000..aea7eddb115 --- /dev/null +++ b/website/client/src/mixins/sanitizeRedirect.js @@ -0,0 +1,16 @@ +export default { + methods: { + sanitizeRedirect (redirect) { + if (!redirect) { + return '/'; + } + if (process.env.TRUSTED_DOMAINS.split(',').includes(redirect)) { + return redirect; + } + if (redirect.slice(0, 1) !== '/' || redirect.slice(1, 1) === '/') { + return '/'; + } + return redirect; + }, + }, +};