dyzulk/twinpath-hotspot-themes
1
0
Fork 0
mirror of https://github.com/dyzulk/twinpath-hotspot-themes.git synced 2026-01-26 13:31:54 +07:00
Code Issues Packages Projects Releases 2 Wiki Activity

Security: Implement QR Scanner Domain Whitelisting

Browse Source
This commit is contained in:
dyzulk
2026-01-12 08:23:58 +07:00
parent bc9f7ac95e
commit 0c578480b1
2 changed files with 28 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
js/qr-scanner.js
View File

@@ -28,19 +28,33 @@ function handleDecodedText(decodedText) {
let password = "";
scannedUrl = "";
// Check if result is a URL (common for Mikhmon vouchers)
// Check if result is a URL
try {
if (decodedText.startsWith('http://') || decodedText.startsWith('https://')) {
scannedUrl = decodedText; // Store for redirection
const url = new URL(decodedText);
const searchParams = url.search || (decodedText.includes('?') ? '?' + decodedText.split('?')[1] : '');
const params = new URLSearchParams(searchParams);
const hostname = url.hostname;
if (params.has('username')) {
username = params.get('username');
}
if (params.has('password')) {
password = params.get('password');
// SECURITY CHECK: Check against Allowed Domains
const isAllowed = brandConfig.allowedDomains.some(domain =>
hostname === domain || hostname.endsWith('.' + domain)
);
if (isAllowed) {
scannedUrl = decodedText; // Store for redirection
const searchParams = url.search || (decodedText.includes('?') ? '?' + decodedText.split('?')[1] : '');
const params = new URLSearchParams(searchParams);
if (params.has('username')) {
username = params.get('username');
}
if (params.has('password')) {
password = params.get('password');
}
} else {
// Not in whitelist: Treat as plain text and warn user
console.warn(`Blocked unauthorized domain: ${hostname}`);
scannedUrl = ""; // Reset URL redirect
// Optionally: alert user or handle it as raw text
}
}
} catch (e) {