fix: xss possibilities through window.open

tonkeeper · Jan 16, 2025 · 7d22958 · 7d22958
1 parent 250b05d
commit 7d22958
Show file tree

Hide file tree

Showing 7 changed files with 11 additions and 5 deletions.
diff --git a/apps/desktop/src/telegram-widget.js b/apps/desktop/src/telegram-widget.js
@@ -520,7 +520,7 @@
 
 /* PATCHED */ const origin =  REACT_APP_TG_BOT_ORIGIN;
 /* PATCHED */ var popup_url = Telegram.Login.widgetsOrigin + '/auth?bot_id=' + encodeURIComponent(options.bot_id) + '&origin=' + encodeURIComponent(origin) + (options.request_access ? '&request_access=' + encodeURIComponent(options.request_access) : '') + ('&lang=' + encodeURIComponent(options.lang)) + '&return_to=' + encodeURIComponent(origin);
-        var popup = window.open(popup_url, '_blank', 'width=' + width + ',height=' + height + ',left=' + left + ',top=' + top + ',status=0,location=0,menubar=0,toolbar=0');
+/* PATCHED */ var popup = window.open(popup_url, '_blank', 'noreferrer,noopener,width=' + width + ',height=' + height + ',left=' + left + ',top=' + top + ',status=0,location=0,menubar=0,toolbar=0');
         TelegramLogin.popups[bot_id] = {
           window: popup,
           authFinished: false

diff --git a/apps/extension/src/libs/appSdk.ts b/apps/extension/src/libs/appSdk.ts
@@ -19,6 +19,9 @@ export class ExtensionAppSdk extends BaseApp {
 
     openPage = (url: string) => {
         return new Promise<void>((resolve, reject) => {
+            if (!url.startsWith('http')) {
+                reject('Invalid url');
+            }
             browser.tabs.create({ url }).then(newTab => {
                 const error = checkForError();
                 if (error) {

diff --git a/apps/tablet/src/libs/appSdk.ts b/apps/tablet/src/libs/appSdk.ts
@@ -84,7 +84,7 @@ export class TabletAppSdk extends BaseApp implements IAppSdk {
     };
 
     openPage = async (url: string) => {
-        getWindow()?.open(url, '_blank');
+        getWindow()?.open(url, '_blank', 'noreferrer,noopener');
     };
 
     version = packageJson.version ?? 'Unknown';

diff --git a/apps/twa/src/libs/appSdk.ts b/apps/twa/src/libs/appSdk.ts
@@ -55,6 +55,9 @@ export class TwaAppSdk extends BaseApp {
     };
 
     openPage = async (url: string) => {
+        if (!url.startsWith('http')) {
+            throw new Error('Invalid url');
+        }
         if (url.includes('t.me')) {
             this.utils.openTelegramLink(url);
         } else {

diff --git a/apps/web-swap-widget/src/libs/appSdk.ts b/apps/web-swap-widget/src/libs/appSdk.ts
@@ -28,7 +28,7 @@ export class WidgetAppSdk extends BaseApp {
     };
 
     openPage = async (url: string) => {
-        window.open(url, '_black');
+        window.open(url, '_black', 'noreferrer,noopener');
     };
 
     disableScroll = disableScroll;

diff --git a/apps/web/src/libs/appSdk.ts b/apps/web/src/libs/appSdk.ts
@@ -24,7 +24,7 @@ export class BrowserAppSdk extends BaseApp {
         this.topMessage(notification);
     };
     openPage = async (url: string) => {
-        window.open(url, '_black');
+        window.open(url, '_black', 'noreferrer,noopener');
     };
 
     disableScroll = disableScroll;

diff --git a/apps/web/src/telegram-widget.js b/apps/web/src/telegram-widget.js
@@ -611,7 +611,7 @@
                 var popup = window.open(
                     popup_url,
                     '_blank',
-                    'width=' +
+/* PATCHED */     'noreferrer,noopener,width=' +
                         width +
                         ',height=' +
                         height +