bskylink/src/html/linkRedirectContents.ts at main · danielmorrisey.com/witchsky.app

danielmorrisey.com / witchsky.app

forked from jollywhoppers.com/witchsky.app

fork

Bluesky app fork with some witchin' additions 💫

fork

witchsky.app / bskylink / src / html / linkRedirectContents.ts

at main 31 lines 1.2 kB view raw

wrap content

surfdude29 [bskylink] URL-encode apostrophes before HTML escaping (#9559) 6w ago

177bdcd2

 1import escapeHTML from 'escape-html'
 2
 3export function linkRedirectContents(link: string): string {
 4  // Encode characters that could break out of the single-quoted URL in meta refresh.
 5  // HTML entity escaping (&#39;) is insufficient because the browser decodes entities
 6  // before the meta refresh parser processes the URL, allowing apostrophes to
 7  // prematurely terminate the URL string.
 8  //
 9  // Example: "They're" with HTML escaping becomes "They&#39;re" in HTML, but after
10  // the browser decodes the content attribute, the meta refresh parser sees "They're"
11  // and interprets the apostrophe as the closing quote, truncating the URL to "They".
12  const safeLink = link.replace(/'/g, '%27')
13
14  return `
15    <html>
16      <head>
17        <meta http-equiv="refresh" content="0; URL='${escapeHTML(safeLink)}'" />
18        <meta
19          http-equiv="Cache-Control"
20          content="no-store, no-cache, must-revalidate, max-age=0" />
21        <meta http-equiv="Pragma" content="no-cache" />
22        <meta http-equiv="Expires" content="0" />
23        <style>
24          :root {
25            color-scheme: light dark;
26          }
27        </style>
28      </head>
29    </html>
30  `
31}

Configure Feed

Configure Feed