From 37844a9bd94fc8769de9d0839ec11debdeff9323 Mon Sep 17 00:00:00 2001
From: Jan-Hendrik Willms <tleilax+studip@gmail.com>
Date: Tue, 16 Apr 2024 10:54:16 +0000
Subject: [PATCH] refine url validation, fixes #4021

Closes #4021

Merge request studip/studip!2870
---
 .../blocks/CoursewareIframeBlock.vue          | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/resources/vue/components/courseware/blocks/CoursewareIframeBlock.vue b/resources/vue/components/courseware/blocks/CoursewareIframeBlock.vue
index be56ab413f2..4ff7e45b8e0 100644
--- a/resources/vue/components/courseware/blocks/CoursewareIframeBlock.vue
+++ b/resources/vue/components/courseware/blocks/CoursewareIframeBlock.vue
@@ -234,17 +234,16 @@ export default {
             this.currentUrlIsValid = this.isValidUrl(this.currentUrl);
         },
         isValidUrl(urlString) {
-            const urlPattern = new RegExp(
-                '^(https?:\\/\\/)?' + // validate protocol
-                    '((([a-z\\d]([a-z\\d-]*[a-z\\d])*)\\.)+[a-z]{2,}|' + // validate domain name
-                    '((\\d{1,3}\\.){3}\\d{1,3}))' + // validate OR ip (v4) address
-                    '(\\:\\d+)?(\\/[-a-z\\d%_.~+]*)*' + // validate port and path
-                    '(\\?[;&a-z\\d%_.~+=-]*)?' + // validate query string
-                    '(\\#[-a-z\\d_]*)?$',
-                'i'
-            ); // validate fragment locator
+            if (!urlString.startsWith('http')) {
+                urlString = `${location.protocol}//${urlString}`;
+            }
 
-            return !!urlPattern.test(urlString);
+            try {
+                const url = new URL(urlString);
+                return ['http:', 'https:'].includes(url.protocol);
+            } catch (e) {
+                return false;
+            }
         },
 
         updateUrl() {
-- 
GitLab