feat(security): enhance input validation and security measures across various routes

2026-03-04 08:39:29 +01:00
parent ba096a31a2
commit e22a895672
13 changed files with 222 additions and 29 deletions
--- a/src/pages/FederatedRoomDetail.jsx
+++ b/src/pages/FederatedRoomDetail.jsx
@@ -39,7 +39,17 @@ export default function FederatedRoomDetail() {
  }, [id]);

  const handleJoin = () => {
-    window.open(room.join_url, '_blank');
+    // Validate URL scheme to prevent javascript: or other malicious URIs
+    try {
+      const url = new URL(room.join_url);
+      if (url.protocol !== 'https:' && url.protocol !== 'http:') {
+        toast.error(t('federation.invalidJoinUrl'));
+        return;
+      }
+      window.open(room.join_url, '_blank');
+    } catch {
+      toast.error(t('federation.invalidJoinUrl'));
+    }
  };

  const handleRemove = async () => {