diff --git a/apps/desktop/src/telegram-widget.js b/apps/desktop/src/telegram-widget.js index 796f76e24..69241670e 100644 --- a/apps/desktop/src/telegram-widget.js +++ b/apps/desktop/src/telegram-widget.js @@ -520,7 +520,7 @@ /* PATCHED */ const origin = REACT_APP_TG_BOT_ORIGIN; /* PATCHED */ var popup_url = Telegram.Login.widgetsOrigin + '/auth?bot_id=' + encodeURIComponent(options.bot_id) + '&origin=' + encodeURIComponent(origin) + (options.request_access ? '&request_access=' + encodeURIComponent(options.request_access) : '') + ('&lang=' + encodeURIComponent(options.lang)) + '&return_to=' + encodeURIComponent(origin); - var popup = window.open(popup_url, '_blank', 'width=' + width + ',height=' + height + ',left=' + left + ',top=' + top + ',status=0,location=0,menubar=0,toolbar=0'); +/* PATCHED */ var popup = window.open(popup_url, '_blank', 'noreferrer,noopener,width=' + width + ',height=' + height + ',left=' + left + ',top=' + top + ',status=0,location=0,menubar=0,toolbar=0'); TelegramLogin.popups[bot_id] = { window: popup, authFinished: false diff --git a/apps/extension/src/libs/appSdk.ts b/apps/extension/src/libs/appSdk.ts index 3d8e4662c..931346961 100644 --- a/apps/extension/src/libs/appSdk.ts +++ b/apps/extension/src/libs/appSdk.ts @@ -19,6 +19,9 @@ export class ExtensionAppSdk extends BaseApp { openPage = (url: string) => { return new Promise((resolve, reject) => { + if (!url.startsWith('http')) { + reject('Invalid url'); + } browser.tabs.create({ url }).then(newTab => { const error = checkForError(); if (error) { diff --git a/apps/tablet/src/libs/appSdk.ts b/apps/tablet/src/libs/appSdk.ts index 57af82a5c..6ffd9abcd 100644 --- a/apps/tablet/src/libs/appSdk.ts +++ b/apps/tablet/src/libs/appSdk.ts @@ -84,7 +84,7 @@ export class TabletAppSdk extends BaseApp implements IAppSdk { }; openPage = async (url: string) => { - getWindow()?.open(url, '_blank'); + getWindow()?.open(url, '_blank', 'noreferrer,noopener'); }; version = packageJson.version ?? 'Unknown'; diff --git a/apps/twa/src/libs/appSdk.ts b/apps/twa/src/libs/appSdk.ts index a7f63aa6b..b7694e688 100644 --- a/apps/twa/src/libs/appSdk.ts +++ b/apps/twa/src/libs/appSdk.ts @@ -55,6 +55,9 @@ export class TwaAppSdk extends BaseApp { }; openPage = async (url: string) => { + if (!url.startsWith('http')) { + throw new Error('Invalid url'); + } if (url.includes('t.me')) { this.utils.openTelegramLink(url); } else { diff --git a/apps/web-swap-widget/src/libs/appSdk.ts b/apps/web-swap-widget/src/libs/appSdk.ts index 70c27287a..7b7e886d4 100644 --- a/apps/web-swap-widget/src/libs/appSdk.ts +++ b/apps/web-swap-widget/src/libs/appSdk.ts @@ -28,7 +28,7 @@ export class WidgetAppSdk extends BaseApp { }; openPage = async (url: string) => { - window.open(url, '_black'); + window.open(url, '_black', 'noreferrer,noopener'); }; disableScroll = disableScroll; diff --git a/apps/web/src/libs/appSdk.ts b/apps/web/src/libs/appSdk.ts index e2717e5a7..5efdd9d10 100644 --- a/apps/web/src/libs/appSdk.ts +++ b/apps/web/src/libs/appSdk.ts @@ -24,7 +24,7 @@ export class BrowserAppSdk extends BaseApp { this.topMessage(notification); }; openPage = async (url: string) => { - window.open(url, '_black'); + window.open(url, '_black', 'noreferrer,noopener'); }; disableScroll = disableScroll; diff --git a/apps/web/src/telegram-widget.js b/apps/web/src/telegram-widget.js index 747030045..1aa2d1170 100644 --- a/apps/web/src/telegram-widget.js +++ b/apps/web/src/telegram-widget.js @@ -611,7 +611,7 @@ var popup = window.open( popup_url, '_blank', - 'width=' + +/* PATCHED */ 'noreferrer,noopener,width=' + width + ',height=' + height +