fix(media): 🐛 Don't proxy media from trusted origins, use new ProxiedUrl class

2026-03-13 05:49:16 +01:00 · 2025-03-30 23:44:50 +02:00 · 2025-03-30 23:44:50 +02:00 · dc1ddb758d
commit dc1ddb758d
parent 411fcd8af5
14 changed files with 114 additions and 140 deletions
--- a/utils/response.ts
+++ b/utils/response.ts
@ -1,17 +0,0 @@
-import { config } from "~/config.ts";
-
-export type Json =
-    | string
-    | number
-    | boolean
-    | null
-    | undefined
-    | Json[]
-    | { [key: string]: Json };
-
-export const proxyUrl = (url: URL): URL => {
-    const urlAsBase64Url = Buffer.from(url.toString() || "").toString(
-        "base64url",
-    );
-    return new URL(`/media/proxy/${urlAsBase64Url}`, config.http.base_url);
-};
--- a/utils/sanitization.ts
+++ b/utils/sanitization.ts
@ -1,6 +1,6 @@
 import { stringifyEntitiesLight } from "stringify-entities";
 import xss, { type IFilterXSSOptions } from "xss";
-import { proxyUrl } from "./response.ts";
+import { ProxiableUrl } from "~/classes/media/url.ts";

 export const sanitizedHtmlStrip = (html: string): Promise<string> => {
    return sanitizeHtml(html, {
@ -137,9 +137,9 @@ export const sanitizeHtml = async (
                element.setAttribute(
                    "src",
                    element.getAttribute("src")
-                        ? proxyUrl(
-                              new URL(element.getAttribute("src") as string),
-                          ).toString()
+                        ? new ProxiableUrl(
+                              element.getAttribute("src") as string,
+                          ).proxied
                        : "",
                );
            },