editor/server: escape user provided link if insecure

2025-12-19 14:59:28 +00:00 · 2025-11-22 00:58:57 +08:00
parent 73347bfd93
commit 3c039efcd9
2 changed files with 25 additions and 1 deletions
--- a/editor/server/share.py
+++ b/editor/server/share.py
@@ -24,7 +24,7 @@ from . import (
    models
 )

-from .utils import fill_cf_template_params
+from .utils import fill_cf_template_params, sanitize_page_param_links

 # root_dir = os.path.join(os.path.dirname(os.path.abspath(__file__)), '../../')
 # examples_dir = os.path.join(root_dir, 'examples')
@@ -120,6 +120,7 @@ def get(name: str):
        params['what_can_i_do'] = html.escape(params.get('what_can_i_do', ''))
        fill_cf_template_params(params)
        fill_template_params(params)
+        sanitize_page_param_links(params)

        return template.render(base=cf_template,
                               params=params,
--- a/editor/server/utils.py
+++ b/editor/server/utils.py
@@ -48,3 +48,26 @@ def fill_cf_template_params(params: dict):
    if not client_ip:
        client_ip = request.remote_addr
    params['client_ip'] = client_ip
+
+
+def sanitize_user_link(link: str):
+    link = link.strip()
+    link_lower = link
+    if link_lower.startswith('http://') or link_lower.startswith('https://'):
+        return link
+    if '.' in link or '/' in link:
+        return 'https://' + link
+    return '#' + link
+
+
+def sanitize_page_param_links(param: dict):
+    more_info = param.get('more_information')
+    if more_info:
+        link = more_info.get('link')
+        if link:
+            more_info['link'] = sanitize_user_link(link)
+    perf_sec_by = param.get('perf_sec_by')
+    if perf_sec_by:
+        link = perf_sec_by.get('link')
+        if link:
+            perf_sec_by['link'] = sanitize_user_link(link)