From 330e4ee12ebf81580d82434f83bb97998bf9347d Mon Sep 17 00:00:00 2001
From: Matchu <matchu1993@gmail.com>
Date: Tue, 9 Feb 2021 16:11:32 -0800
Subject: [PATCH] Fix URL parsing for Jetsam Lunch Lady items
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

A crasher, fixed! :) I made Jetsam Lunch Lady Gloves no longer crash the page, lol - its thumbnail URL is "/items/clo_jetsam_lunchladygloves.gif", with no host specified. The shoes are the same!

I also added a fallback, to return a placeholder error URL instead of just letting the URL through as-is—and I updated the other error case to behave the same. I'd rather have a specific isolated feature get crashy, than have the mixed content warning pop up, or let through some mystery unparseable URL that, idk, might be part of an attack?? Seems better to fail hard-but-small than easy-but-potentially-leakily.
---
 src/app/util.js | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/src/app/util.js b/src/app/util.js
index 0dff89a..4eb6e6a 100644
--- a/src/app/util.js
+++ b/src/app/util.js
@@ -108,7 +108,26 @@ export function safeImageUrl(urlString) {
     return urlString;
   }
 
-  const url = new URL(urlString);
+  let url;
+  try {
+    url = new URL(
+      urlString,
+      // A few item thumbnail images incorrectly start with "/". When that
+      // happens, the correct URL is at images.neopets.com.
+      //
+      // So, we provide "http://images.neopets.com" as the base URL when
+      // parsing. Most URLs are absolute and will ignore it, but relative URLs
+      // will resolve relative to that base.
+      "http://images.neopets.com"
+    );
+  } catch (e) {
+    logAndCapture(
+      new Error(
+        `safeImageUrl could not parse URL: ${urlString}. Returning a placeholder.`
+      )
+    );
+    return "https://impress-openneo.net/__error__URL-was-not-parseable__";
+  }
 
   if (url.origin === "http://images.neopets.com") {
     url.protocol = "https:";
@@ -120,10 +139,10 @@ export function safeImageUrl(urlString) {
 
   if (url.protocol !== "https:") {
     console.warn(
-      "safeImageUrl was provided an unsafe URL, but we don't know how to " +
-        "upgrade it to HTTPS. Returning as-is: " +
-        urlString
+      `safeImageUrl was provided an unsafe URL, but we don't know how to ` +
+        `upgrade it to HTTPS: ${urlString}. Returning a placeholder.`
     );
+    return "https://impress-openneo.net/__error__URL-was-not-HTTPS__";
   }
 
   return url.toString();