From 147dc9d4da25707217bc22a27a4c2f19274ca03c Mon Sep 17 00:00:00 2001
From: Nicolas Werner <nicolas.werner@hotmail.de>
Date: Sun, 17 Oct 2021 17:18:02 +0200
Subject: [PATCH] Use allow list for URI schemes

---
 src/ui/NhekoGlobalObject.cpp | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/ui/NhekoGlobalObject.cpp b/src/ui/NhekoGlobalObject.cpp
index 15f2a5af8..a93466d20 100644
--- a/src/ui/NhekoGlobalObject.cpp
+++ b/src/ui/NhekoGlobalObject.cpp
@@ -61,7 +61,17 @@ Nheko::openLink(QString link) const
     QUrl url(link);
     // Open externally if we couldn't handle it internally
     if (!ChatPage::instance()->handleMatrixUri(url)) {
-        QDesktopServices::openUrl(url);
+        const QStringList allowedUrlSchemes = {
+          "http",
+          "https",
+          "mailto",
+        };
+
+        if (allowedUrlSchemes.contains(url.scheme()))
+            QDesktopServices::openUrl(url);
+        else
+            nhlog::ui()->warn("Url '{}' not opened, because the scheme is not in the allow list",
+                              url.toDisplayString().toStdString());
     }
 }
 void
-- 
GitLab