MOBILE-3833 core: Hide sensitive info in open browser warning

2022-04-14 11:47:39 +02:00 · 2022-04-14 11:47:39 +02:00 · 542604f894
parent f332b65100
commit 542604f894
3 changed files with 8 additions and 12 deletions
--- a/src/core/classes/site.ts
+++ b/src/core/classes/site.ts
@ -46,7 +46,6 @@ import { asyncInstance, AsyncInstance } from '../utils/async-instance';
 import { CoreDatabaseTable } from './database/database-table';
 import { CoreDatabaseCachingStrategy } from './database/database-table-proxy';
 import { CoreSilentError } from './errors/silenterror';
-import { CoreWindow } from '@singletons/window';

 /**
 * QR Code type enumeration.
@ -1608,16 +1607,7 @@ export class CoreSite {
        if (inApp) {
            return CoreUtils.openInApp(autoLoginUrl, options);
        } else {
-            if ((options.showBrowserWarning || options.showBrowserWarning === undefined) && autoLoginUrl !== url) {
-                // Don't display the autologin URL in the warning.
-                try {
-                    await CoreWindow.confirmOpenBrowserIfNeeded(url);
-
-                    options.showBrowserWarning = false;
-                } catch (error) {
-                    return; // Cancelled, stop.
-                }
-            }
+            options.browserWarningUrl = url;

            return CoreUtils.openInBrowser(autoLoginUrl, options);
        }
--- a/src/core/services/utils/utils.ts
+++ b/src/core/services/utils/utils.ts
@ -1112,7 +1112,7 @@ export class CoreUtilsProvider {
    async openInBrowser(url: string, options: CoreUtilsOpenInBrowserOptions = {}): Promise<void> {
        if (options.showBrowserWarning || options.showBrowserWarning === undefined) {
            try {
-                await CoreWindow.confirmOpenBrowserIfNeeded(url);
+                await CoreWindow.confirmOpenBrowserIfNeeded(options.browserWarningUrl ?? url);
            } catch (error) {
                return; // Cancelled, stop.
            }
@ -1836,6 +1836,7 @@ export type CoreUtilsOpenFileOptions = {
 */
 export type CoreUtilsOpenInBrowserOptions = {
    showBrowserWarning?: boolean; // Whether to display a warning before opening in browser. Defaults to true.
+    browserWarningUrl?: string; // The URL to display in the warning message. Use it to hide sensitive information.
 };

 /**
--- a/src/core/singletons/window.ts
+++ b/src/core/singletons/window.ts
@ -61,6 +61,11 @@ export class CoreWindow {
            return;
        }

+        // Remove common sensitive information from the URL.
+        url = url
+            .replace(/token=[^&#]+/gi, 'token=secret')
+            .replace(/tokenpluginfile\.php\/[^/]+/gi, 'tokenpluginfile.php/secret');
+
        const dontShowAgain = await CoreDomUtils.showPrompt(
            Translate.instant('core.warnopeninbrowser', { url }),
            undefined,