fix(security): restrict link protocols to http and https (#1888)

2025-01-10 14:45:30 +01:00
parent 80c02ef9f2
commit a12dd10269
5 changed files with 41 additions and 4 deletions
--- a/packages/validation/src/search-engine.ts
+++ b/packages/validation/src/search-engine.ts
@@ -5,7 +5,7 @@ import type { SearchEngineType } from "@homarr/definitions";

 const genericSearchEngine = z.object({
  type: z.literal("generic" satisfies SearchEngineType),
-  urlTemplate: z.string().min(1).startsWith("http").includes("%s"),
+  urlTemplate: z.string().min(1).startsWith("http").includes("%s"), // Only allow http and https for security reasons (javascript: is not allowed)
 });

 const fromIntegrationSearchEngine = z.object({