From 5b62013f273bdb6ebbe1708cf59be245d8bb3b52 Mon Sep 17 00:00:00 2001
From: Mechiel Lukkien <mechiel@ueber.net>
Date: Tue, 14 Nov 2023 14:09:35 +0100
Subject: [PATCH] rfc/xr: be more careful about which urls we load in iframes

anything that looks like it specifies a different host should not be loaded.
www.xmox.nl also has a CSP policy that should prevent resources from other
domains from being loaded.
---
 rfc/xr.go | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/rfc/xr.go b/rfc/xr.go
index 435a612..70befe3 100644
--- a/rfc/xr.go
+++ b/rfc/xr.go
@@ -364,18 +364,28 @@ window.addEventListener('hashchange', function() {
 })
 function hashlink2src(s) {
 	const t = s.split(':')
+	if (t.length > 2 || t[0].startsWith('/') || t[0].includes('..')) {
+		return ''
+	}
 	let h = t[0]+'.html'
 	if (t.length === 2) {
 		h += '#L'+t[1]
 	}
+	h = './'+h
 	console.log('hashlink', s, h)
 	return h
 }
 function updateIframes() {
 	const h = location.hash.length > 1 ? location.hash.substring(1) : 'code,rfc'
 	const t = h.split(',')
-	codeiframe.src = hashlink2src(t[0])
-	rfciframe.src = hashlink2src(t[1])
+	const codesrc = hashlink2src(t[0])
+	const rfcsrc = hashlink2src(t[1])
+	codeiframe.src = codesrc
+	rfciframe.src = rfcsrc
+	if (codesrc) {
+		codefile.innerText = t[0]
+		rfcfile.innerText = t[1]
+	}
 }
 window.addEventListener('load', function() {
 	console.log('document load')