kunthawat/emdash-patch-imageupload
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Emdash source with visual editor image upload fix

Browse Source 
Fixes:
1. media.ts: wrap placeholder generation in try-catch
2. toolbar.ts: check r.ok, display error message in popover
This commit is contained in:
kunthawat
2026-05-03 10:44:54 +07:00
parent 78f81bebb6
commit 2d1be52177
2352 changed files with 662964 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
packages/admin/tests/lib/url.test.ts Normal file
View File

@@ -0,0 +1,59 @@
import { describe, it, expect } from "vitest";
import { sanitizeRedirectUrl } from "../../src/lib/url";
describe("sanitizeRedirectUrl", () => {
it("allows simple relative paths", () => {
expect(sanitizeRedirectUrl("/_emdash/admin")).toBe("/_emdash/admin");
});
it("allows deep relative paths", () => {
expect(sanitizeRedirectUrl("/_emdash/admin/content/posts")).toBe(
"/_emdash/admin/content/posts",
);
});
it("allows root path", () => {
expect(sanitizeRedirectUrl("/")).toBe("/");
});
it("allows paths with query strings", () => {
expect(sanitizeRedirectUrl("/_emdash/admin?tab=settings")).toBe("/_emdash/admin?tab=settings");
});
it("allows paths with hash fragments", () => {
expect(sanitizeRedirectUrl("/_emdash/admin#section")).toBe("/_emdash/admin#section");
});
it("rejects absolute http URLs (open redirect)", () => {
expect(sanitizeRedirectUrl("https://evil.com/phishing")).toBe("/_emdash/admin");
});
it("rejects absolute http URLs without TLS", () => {
expect(sanitizeRedirectUrl("http://evil.com")).toBe("/_emdash/admin");
});
it("rejects protocol-relative URLs (//evil.com)", () => {
expect(sanitizeRedirectUrl("//evil.com/phishing")).toBe("/_emdash/admin");
});
it("rejects javascript: scheme (DOM XSS)", () => {
expect(sanitizeRedirectUrl("javascript:alert(document.cookie)")).toBe("/_emdash/admin");
});
it("rejects data: scheme", () => {
expect(sanitizeRedirectUrl("data:text/html,<script>alert(1)</script>")).toBe("/_emdash/admin");
});
it("rejects backslash trick (/\\evil.com)", () => {
expect(sanitizeRedirectUrl("/\\evil.com")).toBe("/_emdash/admin");
});
it("rejects empty string", () => {
expect(sanitizeRedirectUrl("")).toBe("/_emdash/admin");
});
it("rejects bare domain", () => {
expect(sanitizeRedirectUrl("evil.com")).toBe("/_emdash/admin");
});
});