From efaf4fbbda17198a14e0c0d9c86f53142e1d89ca Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Thu, 23 Apr 2020 15:22:54 -0600 Subject: [PATCH 1/3] Decode dollar signs in safe widget URLs before rendering/templating Fixes https://github.com/vector-im/riot-web/issues/13344 --- src/components/views/elements/AppTile.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/components/views/elements/AppTile.js b/src/components/views/elements/AppTile.js index 60382b5606..bf9054771c 100644 --- a/src/components/views/elements/AppTile.js +++ b/src/components/views/elements/AppTile.js @@ -636,7 +636,10 @@ export default class AppTile extends React.Component { if (ALLOWED_APP_URL_SCHEMES.includes(parsedWidgetUrl.protocol)) { safeWidgetUrl = url.format(parsedWidgetUrl); } - return safeWidgetUrl; + + // Replace all the dollar signs back to dollar signs as they don't affect HTTP at all. + // We also need the dollar signs in-tact for variable substitution. + return safeWidgetUrl.replace(/%24/g, '$'); } _getTileTitle() { From 28865e27bc30ba73b7fc1b4f4c0483a41b6b2a7e Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Thu, 23 Apr 2020 15:24:20 -0600 Subject: [PATCH 2/3] Don't overwrite the 'domain' data key for all widgets Some widgets, which aren't Jitsi widgets, might need this to be something else. --- src/components/views/elements/AppTile.js | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/src/components/views/elements/AppTile.js b/src/components/views/elements/AppTile.js index bf9054771c..366669a276 100644 --- a/src/components/views/elements/AppTile.js +++ b/src/components/views/elements/AppTile.js @@ -569,12 +569,14 @@ export default class AppTile extends React.Component { * * @returns {string} url with temlate variables replaced */ - _templatedUrl(u) { + _templatedUrl(u, widgetType: string) { + const targetData = {}; + if (WidgetType.JITSI.matches(widgetType)) { + targetData['domain'] = 'jitsi.riot.im'; // v1 jitsi widgets have this hardcoded + } const myUserId = MatrixClientPeg.get().credentials.userId; const myUser = MatrixClientPeg.get().getUser(myUserId); - const vars = Object.assign({ - domain: "jitsi.riot.im", // v1 widgets have this hardcoded - }, this.props.app.data, { + const vars = Object.assign(targetData, this.props.app.data, { 'matrix_user_id': myUserId, 'matrix_room_id': this.props.room.roomId, 'matrix_display_name': myUser ? myUser.displayName : myUserId, @@ -611,18 +613,19 @@ export default class AppTile extends React.Component { } else { url = this._getSafeUrl(this.state.widgetUrl); } - return this._templatedUrl(url); + return this._templatedUrl(url, this.props.app.type); } _getPopoutUrl() { if (WidgetType.JITSI.matches(this.props.app.type)) { return this._templatedUrl( WidgetUtils.getLocalJitsiWrapperUrl({forLocalRender: false}), + this.props.app.type ); } else { // use app.url, not state.widgetUrl, because we want the one without // the wURL params for the popped-out version. - return this._templatedUrl(this._getSafeUrl(this.props.app.url)); + return this._templatedUrl(this._getSafeUrl(this.props.app.url), this.props.app.type); } } From 50783c2432968817aead3ae6228c6a07b7436fb6 Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Thu, 23 Apr 2020 23:25:53 -0600 Subject: [PATCH 3/3] Appease the linter --- src/components/views/elements/AppTile.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/components/views/elements/AppTile.js b/src/components/views/elements/AppTile.js index 366669a276..6a5dfc97e0 100644 --- a/src/components/views/elements/AppTile.js +++ b/src/components/views/elements/AppTile.js @@ -566,6 +566,7 @@ export default class AppTile extends React.Component { * Replace the widget template variables in a url with their values * * @param {string} u The URL with template variables + * @param {string} widgetType The widget's type * * @returns {string} url with temlate variables replaced */ @@ -620,7 +621,7 @@ export default class AppTile extends React.Component { if (WidgetType.JITSI.matches(this.props.app.type)) { return this._templatedUrl( WidgetUtils.getLocalJitsiWrapperUrl({forLocalRender: false}), - this.props.app.type + this.props.app.type, ); } else { // use app.url, not state.widgetUrl, because we want the one without