dyzulk/twinpath-hotspot-themes
1
0
Fork 0
mirror of https://github.com/dyzulk/twinpath-hotspot-themes.git synced 2026-01-26 05:25:40 +07:00
Code Issues Packages Projects Releases 2 Wiki Activity

Security: Add fail-safe current domain validation to QR scanner

Browse Source
This commit is contained in:
dyzulk
2026-01-12 08:47:23 +07:00
parent 0c578480b1
commit fec1613713
1 changed files with 6 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
js/qr-scanner.js
View File

@@ -33,11 +33,14 @@ function handleDecodedText(decodedText) {
if (decodedText.startsWith('http://') || decodedText.startsWith('https://')) {
const url = new URL(decodedText);
const hostname = url.hostname;
const currentHostname = window.location.hostname;
// SECURITY CHECK: Check against Allowed Domains
const isAllowed = brandConfig.allowedDomains.some(domain =>
// SECURITY CHECK:
// 1. Fail-safe: Always allow current domain
// 2. Config: Allow domains in whitelist
const isAllowed = (hostname === currentHostname) || (brandConfig.allowedDomains && brandConfig.allowedDomains.some(domain =>
hostname === domain || hostname.endsWith('.' + domain)
);
));
if (isAllowed) {
scannedUrl = decodedText; // Store for redirection