forked from
npmx.dev/npmx.dev
[READ-ONLY]
a fast, modern browser for the npm registry
fix: validate protocol of urls more securely
+14
-2
+14
-2
server/utils/readme.ts
+14
-2
server/utils/readme.ts
···
206
206
if (url.startsWith('#')) {
207
207
return url
208
208
}
209
-
if (url.startsWith('http://') || url.startsWith('https://') || url.startsWith('//')) {
210
-
return url
209
+
if (hasProtocol(url, { acceptRelative: true })) {
210
+
try {
211
+
const parsed = new URL(url, 'https://example.com')
212
+
if (parsed.protocol === 'http:' || parsed.protocol === 'https:') {
213
+
return url
214
+
}
215
+
} catch {
216
+
// Invalid URL, fall through to resolve as relative
217
+
}
218
+
// return protocol-relative URLs (//example.com) as-is
219
+
if (url.startsWith('//')) {
220
+
return url
221
+
}
222
+
// for non-HTTP protocols (javascript:, data:, etc.), don't return, treat as relative
211
223
}
212
224
213
225
// Prefer GitHub raw URLs when repository info is available