From 6b5727ce91d11a96a2494033706054ea8a0add32 Mon Sep 17 00:00:00 2001
From: Luc Didry <luc@didry.org>
Date: Sun, 28 Oct 2018 16:45:43 +0100
Subject: [PATCH] =?UTF-8?q?Fix=20#128=20=E2=80=94=20Prevent=20XSS=20in=20l?=
 =?UTF-8?q?ocalStorage=20import?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 themes/default/public/js/lufi-files.js | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/themes/default/public/js/lufi-files.js b/themes/default/public/js/lufi-files.js
index a234e60..0910f1d 100644
--- a/themes/default/public/js/lufi-files.js
+++ b/themes/default/public/js/lufi-files.js
@@ -93,7 +93,7 @@ function importStorage(f) {
             var hasImported = 0;
             for (i = 0; i < newFiles.length; i++) {
                 var item = newFiles[i];
-                if (!itemExists(item.short)) {
+                if (validURL(item.url) && !itemExists(item.short)) {
                     addItem(item);
                     hasImported++;
                 }
@@ -108,6 +108,19 @@ function importStorage(f) {
     reader.readAsArrayBuffer(f[0]);
 }
 
+function validURL(str) {
+    try {
+        var url = new URL(str);
+        if (url.host) {
+            return true;
+        } else {
+            return false;
+        }
+    } catch(e) {
+        return false;
+    }
+}
+
 function delFile() {
     var dlink = $(this).attr('data-dlink');
     var short = $(this).attr('data-short');
@@ -151,7 +164,12 @@ function massDelete(event) {
 function populateFilesTable() {
     $('#myfiles').empty();
 
-    var files = JSON.parse(localStorage.getItem('files'));
+    var files = localStorage.getItem('files');
+    if (files === null) {
+        files = new Array();
+    } else {
+        files = JSON.parse(files);
+    }
     files.sort(function(a, b) {
         if (a.created_at < b.created_at) {
             return -1;