Merge pull request #2173 from kvhnuke/devop/fix-xss-on-phishing-temp

devop/fix-xss-on-phishing-temp
MyEtherWallet · Dec 5, 2018 · 8face5a · 8face5a
2 parents 80a5376 + c8161fd
commit 8face5a
Show file tree

Hide file tree

Showing 5 changed files with 2,980 additions and 1,952 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,8 +1,14 @@
+### New
+- Bitbox integration [#2172](https://github.com/kvhnuke/etherwallet/pull/2172)
+- Add CBM token [#2150](https://github.com/kvhnuke/etherwallet/pull/2150)
+- Enable Ledger Hardware wallet support for Ellaism [#2175](https://github.com/kvhnuke/etherwallet/pull/2175)
+- Fix url parsing in phishing redirect, Add Meditel(TEL) token, Update HAV and nUSD tokens, Add TKLN, Update Havven Mintr contract, add Paypite contract [#2173](https://github.com/kvhnuke/etherwallet/pull/2173)
+
 ### Release v3.27.0
 
 ### New
 
-- Fix send null and browser check issues [#2165](https://github.com/kvhnuke/etherwallet/pull/2165)
+- Fix send null and browser check issues [#2148](https://github.com/kvhnuke/etherwallet/pull/2148)
 - Add PIT, SKE tokens, add HUM contract [#2165](https://github.com/kvhnuke/etherwallet/pull/2165)
 - Add ZIX token [#2163](https://github.com/kvhnuke/etherwallet/pull/2163)
 - Add CRO contract [#2160](https://github.com/kvhnuke/etherwallet/pull/2160)

diff --git a/app/layouts/phishing.html b/app/layouts/phishing.html
@@ -6,19 +6,25 @@ <h1>You've been redirected to safety!</h1>
 </section>
 <script>
 (function() {
+  const regex = /[-a-zA-Z0-9@:%_\+.~#?&//=]{2,256}\.[a-z]{2,4}\b(\/[-a-zA-Z0-9@:%_\+.~#?&//=]*)?/gi;
 	const url = globalFuncs.stripTags(window.location.search.replace("?phishing-address=", ""));
-	const body = document.getElementById("phishingMsg");
-	const fragment = document.createDocumentFragment();
-	const newP1 = document.createElement("p");
-	const newP2 = document.createElement("p");
-	newP1.innerHTML = `</br></br></br></br></br>
-    The url ${url} has been flagged as a supicious site by the community.
-  `;
+  console.log(url, url.match(regex) !== null);
+  const body = document.getElementById("phishingMsg");
+  const fragment = document.createDocumentFragment();
+  const newP1 = document.createElement("p");
+  const newP2 = document.createElement("p");
+  url.match(regex) !== null ? 
+    newP1.innerHTML = `</br></br></br></br></br>
+      The url ${url} has been flagged as a supicious site by the community.
+    ` :
+    newP1.innerHTML =  `</br></br></br></br></br>
+      Unparsable url found.
+    `;
   newP2.textContent =`
   Please refrain from going to this site for the mean time.`
   fragment.appendChild(newP1);
   fragment.appendChild(newP2);
-	body.appendChild(fragment);
+  body.appendChild(fragment);
 })();
 </script>
 @@include( '../includes/footer.tpl', { "site": "mew" } )