|
|
|
|
@ -12,13 +12,11 @@ import {
|
|
|
|
|
NonDeletedExcalidrawElement,
|
|
|
|
|
Theme,
|
|
|
|
|
} from "./types";
|
|
|
|
|
import { sanitizeHTMLAttribute } from "../data/url";
|
|
|
|
|
|
|
|
|
|
type EmbeddedLink =
|
|
|
|
|
| ({
|
|
|
|
|
aspectRatio: { w: number; h: number };
|
|
|
|
|
warning?: string;
|
|
|
|
|
sandbox: { allowSameOrigin?: boolean };
|
|
|
|
|
} & (
|
|
|
|
|
| { type: "video" | "generic"; link: string }
|
|
|
|
|
| { type: "document"; srcdoc: (theme: Theme) => string }
|
|
|
|
|
@ -30,21 +28,20 @@ const embeddedLinkCache = new Map<string, EmbeddedLink>();
|
|
|
|
|
const RE_YOUTUBE =
|
|
|
|
|
/^(?:http(?:s)?:\/\/)?(?:www\.)?youtu(?:be\.com|\.be)\/(embed\/|watch\?v=|shorts\/|playlist\?list=|embed\/videoseries\?list=)?([a-zA-Z0-9_-]+)(?:\?t=|&t=|\?start=|&start=)?([a-zA-Z0-9_-]+)?[^\s]*$/;
|
|
|
|
|
const RE_VIMEO =
|
|
|
|
|
/^(?:http(?:s)?:\/\/)?(?:(?:w){3}\.)?(?:player\.)?vimeo\.com\/(?:video\/)?([^?\s]+)(?:\?.*)?$/;
|
|
|
|
|
/^(?:http(?:s)?:\/\/)?(?:(?:w){3}.)?(?:player\.)?vimeo\.com\/(?:video\/)?([^?\s]+)(?:\?.*)?$/;
|
|
|
|
|
const RE_FIGMA = /^https:\/\/(?:www\.)?figma\.com/;
|
|
|
|
|
|
|
|
|
|
const RE_GH_GIST = /^https:\/\/gist\.github\.com\/([\w_-]+)\/([\w_-]+)/;
|
|
|
|
|
const RE_GH_GIST = /^https:\/\/gist\.github\.com/;
|
|
|
|
|
const RE_GH_GIST_EMBED =
|
|
|
|
|
/^<script[\s\S]*?\ssrc=["'](https:\/\/gist\.github\.com\/.*?)\.js["']/i;
|
|
|
|
|
/^<script[\s\S]*?\ssrc=["'](https:\/\/gist.github.com\/.*?)\.js["']/i;
|
|
|
|
|
|
|
|
|
|
// not anchored to start to allow <blockquote> twitter embeds
|
|
|
|
|
const RE_TWITTER =
|
|
|
|
|
/(?:https?:\/\/)?(?:(?:w){3}\.)?(?:twitter|x)\.com\/[^/]+\/status\/(\d+)/;
|
|
|
|
|
const RE_TWITTER = /(?:http(?:s)?:\/\/)?(?:(?:w){3}.)?twitter.com/;
|
|
|
|
|
const RE_TWITTER_EMBED =
|
|
|
|
|
/^<blockquote[\s\S]*?\shref=["'](https?:\/\/(?:twitter|x)\.com\/[^"']*)/i;
|
|
|
|
|
/^<blockquote[\s\S]*?\shref=["'](https:\/\/twitter.com\/[^"']*)/i;
|
|
|
|
|
|
|
|
|
|
const RE_VALTOWN =
|
|
|
|
|
/^https:\/\/(?:www\.)?val\.town\/(v|embed)\/[a-zA-Z_$][0-9a-zA-Z_$]+\.[a-zA-Z_$][0-9a-zA-Z_$]+/;
|
|
|
|
|
/^https:\/\/(?:www\.)?val.town\/(v|embed)\/[a-zA-Z_$][0-9a-zA-Z_$]+\.[a-zA-Z_$][0-9a-zA-Z_$]+/;
|
|
|
|
|
|
|
|
|
|
const RE_GENERIC_EMBED =
|
|
|
|
|
/^<(?:iframe|blockquote)[\s\S]*?\s(?:src|href)=["']([^"']*)["'][\s\S]*?>$/i;
|
|
|
|
|
@ -63,18 +60,6 @@ const ALLOWED_DOMAINS = new Set([
|
|
|
|
|
"val.town",
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
const ALLOW_SAME_ORIGIN = new Set([
|
|
|
|
|
"youtube.com",
|
|
|
|
|
"youtu.be",
|
|
|
|
|
"vimeo.com",
|
|
|
|
|
"player.vimeo.com",
|
|
|
|
|
"figma.com",
|
|
|
|
|
"twitter.com",
|
|
|
|
|
"x.com",
|
|
|
|
|
"*.simplepdf.eu",
|
|
|
|
|
"stackblitz.com",
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
const createSrcDoc = (body: string) => {
|
|
|
|
|
return `<html><body>${body}</body></html>`;
|
|
|
|
|
};
|
|
|
|
|
@ -90,10 +75,6 @@ export const getEmbedLink = (link: string | null | undefined): EmbeddedLink => {
|
|
|
|
|
|
|
|
|
|
const originalLink = link;
|
|
|
|
|
|
|
|
|
|
const allowSameOrigin = ALLOW_SAME_ORIGIN.has(
|
|
|
|
|
matchHostname(link, ALLOW_SAME_ORIGIN) || "",
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
let type: "video" | "generic" = "generic";
|
|
|
|
|
let aspectRatio = { w: 560, h: 840 };
|
|
|
|
|
const ytLink = link.match(RE_YOUTUBE);
|
|
|
|
|
@ -116,13 +97,8 @@ export const getEmbedLink = (link: string | null | undefined): EmbeddedLink => {
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
aspectRatio = isPortrait ? { w: 315, h: 560 } : { w: 560, h: 315 };
|
|
|
|
|
embeddedLinkCache.set(originalLink, {
|
|
|
|
|
link,
|
|
|
|
|
aspectRatio,
|
|
|
|
|
type,
|
|
|
|
|
sandbox: { allowSameOrigin },
|
|
|
|
|
});
|
|
|
|
|
return { link, aspectRatio, type, sandbox: { allowSameOrigin } };
|
|
|
|
|
embeddedLinkCache.set(originalLink, { link, aspectRatio, type });
|
|
|
|
|
return { link, aspectRatio, type };
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const vimeoLink = link.match(RE_VIMEO);
|
|
|
|
|
@ -136,13 +112,8 @@ export const getEmbedLink = (link: string | null | undefined): EmbeddedLink => {
|
|
|
|
|
aspectRatio = { w: 560, h: 315 };
|
|
|
|
|
//warning deliberately ommited so it is displayed only once per link
|
|
|
|
|
//same link next time will be served from cache
|
|
|
|
|
embeddedLinkCache.set(originalLink, {
|
|
|
|
|
link,
|
|
|
|
|
aspectRatio,
|
|
|
|
|
type,
|
|
|
|
|
sandbox: { allowSameOrigin },
|
|
|
|
|
});
|
|
|
|
|
return { link, aspectRatio, type, warning, sandbox: { allowSameOrigin } };
|
|
|
|
|
embeddedLinkCache.set(originalLink, { link, aspectRatio, type });
|
|
|
|
|
return { link, aspectRatio, type, warning };
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const figmaLink = link.match(RE_FIGMA);
|
|
|
|
|
@ -152,81 +123,75 @@ export const getEmbedLink = (link: string | null | undefined): EmbeddedLink => {
|
|
|
|
|
link,
|
|
|
|
|
)}`;
|
|
|
|
|
aspectRatio = { w: 550, h: 550 };
|
|
|
|
|
embeddedLinkCache.set(originalLink, {
|
|
|
|
|
link,
|
|
|
|
|
aspectRatio,
|
|
|
|
|
type,
|
|
|
|
|
sandbox: { allowSameOrigin },
|
|
|
|
|
});
|
|
|
|
|
return { link, aspectRatio, type, sandbox: { allowSameOrigin } };
|
|
|
|
|
embeddedLinkCache.set(originalLink, { link, aspectRatio, type });
|
|
|
|
|
return { link, aspectRatio, type };
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const valLink = link.match(RE_VALTOWN);
|
|
|
|
|
if (valLink) {
|
|
|
|
|
link =
|
|
|
|
|
valLink[1] === "embed" ? valLink[0] : valLink[0].replace("/v", "/embed");
|
|
|
|
|
embeddedLinkCache.set(originalLink, {
|
|
|
|
|
link,
|
|
|
|
|
aspectRatio,
|
|
|
|
|
type,
|
|
|
|
|
sandbox: { allowSameOrigin },
|
|
|
|
|
});
|
|
|
|
|
return { link, aspectRatio, type, sandbox: { allowSameOrigin } };
|
|
|
|
|
embeddedLinkCache.set(originalLink, { link, aspectRatio, type });
|
|
|
|
|
return { link, aspectRatio, type };
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (RE_TWITTER.test(link)) {
|
|
|
|
|
const postId = link.match(RE_TWITTER)![1];
|
|
|
|
|
// the embed srcdoc still supports twitter.com domain only.
|
|
|
|
|
// Note that we don't attempt to parse the username as it can consist of
|
|
|
|
|
// non-latin1 characters, and the username in the url can be set to anything
|
|
|
|
|
// without affecting the embed.
|
|
|
|
|
const safeURL = sanitizeHTMLAttribute(
|
|
|
|
|
`https://twitter.com/x/status/${postId}`,
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
const ret: EmbeddedLink = {
|
|
|
|
|
type: "document",
|
|
|
|
|
srcdoc: (theme: string) =>
|
|
|
|
|
createSrcDoc(
|
|
|
|
|
`<blockquote class="twitter-tweet" data-dnt="true" data-theme="${theme}"><a href="${safeURL}"></a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>`,
|
|
|
|
|
),
|
|
|
|
|
aspectRatio: { w: 480, h: 480 },
|
|
|
|
|
sandbox: { allowSameOrigin },
|
|
|
|
|
};
|
|
|
|
|
let ret: EmbeddedLink;
|
|
|
|
|
// assume embed code
|
|
|
|
|
if (/<blockquote/.test(link)) {
|
|
|
|
|
const srcDoc = createSrcDoc(link);
|
|
|
|
|
ret = {
|
|
|
|
|
type: "document",
|
|
|
|
|
srcdoc: () => srcDoc,
|
|
|
|
|
aspectRatio: { w: 480, h: 480 },
|
|
|
|
|
};
|
|
|
|
|
// assume regular tweet url
|
|
|
|
|
} else {
|
|
|
|
|
ret = {
|
|
|
|
|
type: "document",
|
|
|
|
|
srcdoc: (theme: string) =>
|
|
|
|
|
createSrcDoc(
|
|
|
|
|
`<blockquote class="twitter-tweet" data-dnt="true" data-theme="${theme}"><a href="${link}"></a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>`,
|
|
|
|
|
),
|
|
|
|
|
aspectRatio: { w: 480, h: 480 },
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
embeddedLinkCache.set(originalLink, ret);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (RE_GH_GIST.test(link)) {
|
|
|
|
|
const [, user, gistId] = link.match(RE_GH_GIST)!;
|
|
|
|
|
const safeURL = sanitizeHTMLAttribute(
|
|
|
|
|
`https://gist.github.com/${user}/${gistId}`,
|
|
|
|
|
);
|
|
|
|
|
const ret: EmbeddedLink = {
|
|
|
|
|
type: "document",
|
|
|
|
|
srcdoc: () =>
|
|
|
|
|
createSrcDoc(`
|
|
|
|
|
<script src="${safeURL}.js"></script>
|
|
|
|
|
let ret: EmbeddedLink;
|
|
|
|
|
// assume embed code
|
|
|
|
|
if (/<script>/.test(link)) {
|
|
|
|
|
const srcDoc = createSrcDoc(link);
|
|
|
|
|
ret = {
|
|
|
|
|
type: "document",
|
|
|
|
|
srcdoc: () => srcDoc,
|
|
|
|
|
aspectRatio: { w: 550, h: 720 },
|
|
|
|
|
};
|
|
|
|
|
// assume regular url
|
|
|
|
|
} else {
|
|
|
|
|
ret = {
|
|
|
|
|
type: "document",
|
|
|
|
|
srcdoc: () =>
|
|
|
|
|
createSrcDoc(`
|
|
|
|
|
<script src="${link}.js"></script>
|
|
|
|
|
<style type="text/css">
|
|
|
|
|
* { margin: 0px; }
|
|
|
|
|
table, .gist { height: 100%; }
|
|
|
|
|
.gist .gist-file { height: calc(100vh - 2px); padding: 0px; display: grid; grid-template-rows: 1fr auto; }
|
|
|
|
|
</style>
|
|
|
|
|
`),
|
|
|
|
|
aspectRatio: { w: 550, h: 720 },
|
|
|
|
|
sandbox: { allowSameOrigin },
|
|
|
|
|
};
|
|
|
|
|
aspectRatio: { w: 550, h: 720 },
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
embeddedLinkCache.set(link, ret);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
embeddedLinkCache.set(link, {
|
|
|
|
|
link,
|
|
|
|
|
aspectRatio,
|
|
|
|
|
type,
|
|
|
|
|
sandbox: { allowSameOrigin },
|
|
|
|
|
});
|
|
|
|
|
return { link, aspectRatio, type, sandbox: { allowSameOrigin } };
|
|
|
|
|
embeddedLinkCache.set(link, { link, aspectRatio, type });
|
|
|
|
|
return { link, aspectRatio, type };
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
export const isEmbeddableOrFrameLabel = (
|
|
|
|
|
@ -301,39 +266,34 @@ export const actionSetEmbeddableAsActiveTool = register({
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const matchHostname = (
|
|
|
|
|
const validateHostname = (
|
|
|
|
|
url: string,
|
|
|
|
|
/** using a Set assumes it already contains normalized bare domains */
|
|
|
|
|
allowedHostnames: Set<string> | string,
|
|
|
|
|
): string | null => {
|
|
|
|
|
): boolean => {
|
|
|
|
|
try {
|
|
|
|
|
const { hostname } = new URL(url);
|
|
|
|
|
|
|
|
|
|
const bareDomain = hostname.replace(/^www\./, "");
|
|
|
|
|
const bareDomainWithFirstSubdomainWildcarded = bareDomain.replace(
|
|
|
|
|
/^([^.]+)/,
|
|
|
|
|
"*",
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if (allowedHostnames instanceof Set) {
|
|
|
|
|
if (ALLOWED_DOMAINS.has(bareDomain)) {
|
|
|
|
|
return bareDomain;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const bareDomainWithFirstSubdomainWildcarded = bareDomain.replace(
|
|
|
|
|
/^([^.]+)/,
|
|
|
|
|
"*",
|
|
|
|
|
return (
|
|
|
|
|
ALLOWED_DOMAINS.has(bareDomain) ||
|
|
|
|
|
ALLOWED_DOMAINS.has(bareDomainWithFirstSubdomainWildcarded)
|
|
|
|
|
);
|
|
|
|
|
if (ALLOWED_DOMAINS.has(bareDomainWithFirstSubdomainWildcarded)) {
|
|
|
|
|
return bareDomainWithFirstSubdomainWildcarded;
|
|
|
|
|
}
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const bareAllowedHostname = allowedHostnames.replace(/^www\./, "");
|
|
|
|
|
if (bareDomain === bareAllowedHostname) {
|
|
|
|
|
return bareAllowedHostname;
|
|
|
|
|
if (bareDomain === allowedHostnames.replace(/^www\./, "")) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
} catch (error) {
|
|
|
|
|
// ignore
|
|
|
|
|
}
|
|
|
|
|
return null;
|
|
|
|
|
return false;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
export const extractSrc = (htmlString: string): string => {
|
|
|
|
|
@ -378,7 +338,7 @@ export const embeddableURLValidator = (
|
|
|
|
|
if (url.match(domain)) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
} else if (matchHostname(url, domain)) {
|
|
|
|
|
} else if (validateHostname(url, domain)) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
@ -386,5 +346,5 @@ export const embeddableURLValidator = (
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return !!matchHostname(url, ALLOWED_DOMAINS);
|
|
|
|
|
return validateHostname(url, ALLOWED_DOMAINS);
|
|
|
|
|
};
|
|
|
|
|
|
