Handling of external app links in the viewer

Links that should be handled/opened by external applications - such as email addresses (mailto:), phone numbers (tel:), etc - are opened by the viewer in a new tab/window, thus avoiding any issues with content security policy.
kiwix · Sep 10, 2024 · 16ebc66 · 16ebc66
1 parent d5a44b9
commit 16ebc66
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 3 deletions.
diff --git a/static/skin/viewer.js b/static/skin/viewer.js
@@ -310,6 +310,12 @@ function blockLink(url) {
        : url;
 }
 
+function urlMustBeHandledByAnExternalApp(url) {
+  const WHITELISTED_URL_SCHEMATA = ['http:', 'https:', 'about:', 'javascript:'];
+
+  return WHITELISTED_URL_SCHEMATA.indexOf(url.protocol) == -1;
+}
+
 function isExternalUrl(url) {
   if ( url.startsWith(window.location.origin) )
     return false;
@@ -334,7 +340,13 @@ function onClickEvent(e) {
   const target = matchingAncestorElement(e.target, iframeDocument, "a");
   if (target !== null && "href" in target) {
     const target_href = getRealHref(target);
-    if (isExternalUrl(target_href)) {
+    const target_url = new URL(target_href, iframeDocument.location);
+    const isExternalAppUrl = urlMustBeHandledByAnExternalApp(target_url);
+    if ( isExternalAppUrl && !viewerSettings.linkBlockingEnabled ) {
+        target.setAttribute("target", "_blank");
+    }
+
+    if (isExternalAppUrl || isExternalUrl(target_href)) {
       const possiblyBlockedLink = blockLink(target_href);
       if ( e.ctrlKey || e.shiftKey ) {
         // The link will be loaded in a new tab/window - update the link
@@ -343,6 +355,7 @@ function onClickEvent(e) {
       } else {
         // Load the external URL in the viewer window (rather than iframe)
         contentIframe.contentWindow.parent.location = possiblyBlockedLink;
+        e.preventDefault();
       }
     }
   }

diff --git a/test/server.cpp b/test/server.cpp
@@ -75,7 +75,7 @@ const ResourceCollection resources200Compressible{
   { DYNAMIC_CONTENT, "/ROOT%23%3F/skin/taskbar.css" },
   { STATIC_CONTENT,  "/ROOT%23%3F/skin/taskbar.css?cacheid=80d56607" },
   { DYNAMIC_CONTENT, "/ROOT%23%3F/skin/viewer.js" },
-  { STATIC_CONTENT,  "/ROOT%23%3F/skin/viewer.js?cacheid=5fc4badf" },
+  { STATIC_CONTENT,  "/ROOT%23%3F/skin/viewer.js?cacheid=215635fd" },
   { DYNAMIC_CONTENT, "/ROOT%23%3F/skin/fonts/Poppins.ttf" },
   { STATIC_CONTENT,  "/ROOT%23%3F/skin/fonts/Poppins.ttf?cacheid=af705837" },
   { DYNAMIC_CONTENT, "/ROOT%23%3F/skin/fonts/Roboto.ttf" },
@@ -324,7 +324,7 @@ R"EXPECTEDRESULT(    <link type="text/css" href="./skin/kiwix.css?cacheid=2158fa
     <script type="text/javascript" src="./skin/polyfills.js?cacheid=a0e0343d"></script>
     <script type="module" src="./skin/i18n.js?cacheid=071abc9a" defer></script>
     <script type="text/javascript" src="./skin/languages.js?cacheid=ee7d95b5" defer></script>
-    <script type="text/javascript" src="./skin/viewer.js?cacheid=5fc4badf" defer></script>
+    <script type="text/javascript" src="./skin/viewer.js?cacheid=215635fd" defer></script>
     <script type="text/javascript" src="./skin/autoComplete/autoComplete.min.js?cacheid=1191aaaf"></script>
       const blankPageUrl = root + "/skin/blank.html?cacheid=6b1fa032";
           <label for="kiwix_button_show_toggle"><img src="./skin/caret.png?cacheid=22b942b4" alt=""></label>