From 28a0959d96fd0919da1319d7db56b6d2afeb234a Mon Sep 17 00:00:00 2001 From: Evgeny Date: Sat, 16 Aug 2025 16:46:34 +0100 Subject: [PATCH] core: additional whitelisted query string parameters (not removed from URLs) (#6190) --- src/Simplex/Chat/Markdown.hs | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/src/Simplex/Chat/Markdown.hs b/src/Simplex/Chat/Markdown.hs index 5fd6d15af2..991b6ef9f5 100644 --- a/src/Simplex/Chat/Markdown.hs +++ b/src/Simplex/Chat/Markdown.hs @@ -350,7 +350,7 @@ sanitizeUri :: U.URI -> Maybe U.URI sanitizeUri uri@U.URI {uriAuthority, uriPath, uriQuery = U.Query originalQS} = let sanitizedQS | isNamePath = case originalQS of - p : ps -> (if isBlacklisted (fst p) then id else (p :)) $ filter (isWhitelisted . fst) ps + p@(n, _) : ps -> (if isBlacklisted n && not (isWhitelisted n) then id else (p :)) $ filter (isWhitelisted . fst) ps [] -> [] | otherwise = filter (isWhitelisted . fst) originalQS in if length sanitizedQS == length originalQS @@ -363,8 +363,17 @@ sanitizeUri uri@U.URI {uriAuthority, uriPath, uriQuery = U.Query originalQS} = isNamePath = B.all (\c -> (c >= 'a' && c <= 'z') || c == '_' || c == '-' || c == '/') uriPath qsWhitelist :: [(ByteString -> Bool, [ByteString])] qsWhitelist = - [ (const True, ["q", "search"]), - (dom "youtube.com", ["v", "t"]), + [ (const True, ["q", "search", "search_query", "lang", "list", "page", "text", "type"]), + (dom "aliexpress.com", ["SearchText", "catId", "minPrice", "maxPrice"]), + (dom "amazon.com", ["i", "rh", "k"]), -- department, filter, keyword + (dom "baidu.com", ["wd"]), -- search string + (dom "bing.com", ["mkt"]), -- localized results + (dom "github.com", ["author", "diff", "w"]), -- author in search result, PR parameters + (dom "reddit.com", ["t"]), -- search type, time range + (dom "wikipedia.com", ["oldid", "uselang"]), -- to show old page revision and chosen user language + (dom "x.com", ["f"]), -- feed type + (dom "yahoo.com", ["p"]), -- search string + (dom "youtube.com", ["v", "t"]), -- video ID and timestamp (dom "youtu.be", ["t"]) ] dom d h = d == h || (('.' `B.cons` d) `B.isSuffixOf` h)