fix(ui): protect window.location xss (#1639)

protect window.location xss
logto-io · Jul 21, 2022 · 34b465c · 34b465c
1 parent 69b1b85
commit 34b465c
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/packages/ui/src/hooks/use-social-landing-handler.ts b/packages/ui/src/hooks/use-social-landing-handler.ts
@@ -30,7 +30,7 @@ const useSocialLandingHandler = () => {
         storeCallbackLink(connectorId, nativeCallbackLink);
       }
 
-      window.location.replace(redirectUri);
+      window.location.replace(new URL(redirectUri));
     },
     [search, setToast, t]
   );

diff --git a/packages/ui/src/pages/SocialLanding/index.test.tsx b/packages/ui/src/pages/SocialLanding/index.test.tsx
@@ -13,7 +13,7 @@ describe(`SocialLanding Page`, () => {
   const replace = jest.fn();
   it('Should set session storage and redirect', async () => {
     const callbackLink = 'logto:logto.android.com';
-    const redirectUri = 'www.github.com';
+    const redirectUri = 'http://www.github.com';
 
     /* eslint-disable @silverhand/fp/no-mutating-methods */
     Object.defineProperty(window, 'location', {
@@ -40,7 +40,7 @@ describe(`SocialLanding Page`, () => {
     );
 
     await waitFor(() => {
-      expect(replace).toBeCalledWith(redirectUri);
+      expect(replace).toBeCalledWith(new URL(redirectUri));
     });
 
     expect(getCallbackLinkFromStorage('github')).toBe(callbackLink);