OpenNeo/impress-2020
OpenNeo/impress-2020
1
0
Fork 0
Code Pull requests Activity

Fix URL parsing for Jetsam Lunch Lady items

Browse source 
A crasher, fixed! :) I made Jetsam Lunch Lady Gloves no longer crash the page, lol - its thumbnail URL is "/items/clo_jetsam_lunchladygloves.gif", with no host specified. The shoes are the same!

I also added a fallback, to return a placeholder error URL instead of just letting the URL through as-is—and I updated the other error case to behave the same. I'd rather have a specific isolated feature get crashy, than have the mixed content warning pop up, or let through some mystery unparseable URL that, idk, might be part of an attack?? Seems better to fail hard-but-small than easy-but-potentially-leakily.
This commit is contained in:
Emi Matchu 2021-02-09 16:11:32 -08:00
parent fe5eab5763
commit 330e4ee12e
1 changed files with 23 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
src/app/util.js
View file

@ -108,7 +108,26 @@ export function safeImageUrl(urlString) {
return urlString;
}
const url = new URL(urlString);
let url;
try {
url = new URL(
urlString,
// A few item thumbnail images incorrectly start with "/". When that
// happens, the correct URL is at images.neopets.com.
//
// So, we provide "http://images.neopets.com" as the base URL when
// parsing. Most URLs are absolute and will ignore it, but relative URLs
// will resolve relative to that base.
"http://images.neopets.com"
);
} catch (e) {
logAndCapture(
new Error(
`safeImageUrl could not parse URL: ${urlString}. Returning a placeholder.`
)
);
return "https://impress-openneo.net/__error__URL-was-not-parseable__";
}
if (url.origin === "http://images.neopets.com") {
url.protocol = "https:";
@ -120,10 +139,10 @@ export function safeImageUrl(urlString) {
if (url.protocol !== "https:") {
console.warn(
"safeImageUrl was provided an unsafe URL, but we don't know how to " +
"upgrade it to HTTPS. Returning as-is: " +
urlString
`safeImageUrl was provided an unsafe URL, but we don't know how to ` +
`upgrade it to HTTPS: ${urlString}. Returning a placeholder.`
);
return "https://impress-openneo.net/__error__URL-was-not-HTTPS__";
}
return url.toString();