JonKazama-Hellion/Hellion-NewTab
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases 8 Wiki Activity

fix(security): validate background URL before CSS injection

Browse Source 
Add isValidBgUrl() that only allows blob: and data:image/ protocols.
Applied in applySettings() and the manual URL input handler.
Prevents CSS injection via manipulated bgUrl storage values.
This commit is contained in:
Jon Kazama
2026-04-16 20:18:42 +02:00
parent 2430d65e3a
commit 82dd6e026a
1 changed files with 18 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/js/settings.js
+18 -1
View File
@@ -23,6 +23,17 @@ function closeThemeModal() {
overlay.classList.remove('active'); overlay.classList.remove('active');
} }
/**
* Prueft ob eine Background-URL sicher fuer CSS-Einbettung ist.
* Erlaubt nur blob: und data:image/ Protokolle (aus File Upload).
* @param {string} url
* @returns {boolean}
*/
function isValidBgUrl(url) {
return typeof url === 'string' && url.length > 0 &&
(url.startsWith('blob:') || url.startsWith('data:image/'));
}
// ---- ACCORDION ---- // ---- ACCORDION ----
function initAccordion() { function initAccordion() {
const defaultOpen = new Set(['widgets']); const defaultOpen = new Set(['widgets']);
@@ -89,8 +100,10 @@ function applySettings() {
applyTheme(settings.theme || 'nebula', !!settings.bgUrl); applyTheme(settings.theme || 'nebula', !!settings.bgUrl);
if (settings.bgUrl) { if (settings.bgUrl && isValidBgUrl(settings.bgUrl)) {
document.getElementById('bgLayer').style.backgroundImage = `url('${settings.bgUrl}')`; document.getElementById('bgLayer').style.backgroundImage = `url('${settings.bgUrl}')`;
} else if (settings.bgUrl) {
settings.bgUrl = '';
} }
} }
@@ -168,6 +181,10 @@ function bindSettingsEvents() {
}); });
document.getElementById('btnApplyBg').addEventListener('click', async () => { document.getElementById('btnApplyBg').addEventListener('click', async () => {
const url = document.getElementById('bgUrlInput').value.trim(); const url = document.getElementById('bgUrlInput').value.trim();
if (url && !isValidBgUrl(url)) {
await HellionDialog.alert(t('settings.bg_invalid_url'), { type: 'danger', title: t('settings.bg_invalid_url.title') });
return;
}
settings.bgUrl = url; settings.bgUrl = url;
document.getElementById('bgLayer').style.backgroundImage = url ? `url('${url}')` : ''; document.getElementById('bgLayer').style.backgroundImage = url ? `url('${url}')` : '';
await saveSettings(); await saveSettings();