Prevent loading remote content via URL hash

jhildenbiddle · jhildenbiddle · commit e6c6abb76dca · 2021-02-04T17:34:18.000-06:00
Fixes #1477. Fixes #1126.
diff --git a/src/core/fetch/index.js b/src/core/fetch/index.js
@@ -102,41 +102,50 @@ export function fetchMixin(proto) {
   };
 
   proto._fetch = function(cb = noop) {
-    const { path, query } = this.route;
-    const qs = stringifyQuery(query, ['id']);
-    const { loadNavbar, requestHeaders, loadSidebar } = this.config;
-    // Abort last request
-
-    const file = this.router.getFile(path);
-    const req = request(file + qs, true, requestHeaders);
-
-    this.isRemoteUrl = isExternal(file);
-    // Current page is html
-    this.isHTML = /\.html$/g.test(file);
-
-    // Load main content
-    req.then(
-      (text, opt) =>
-        this._renderMain(
-          text,
-          opt,
-          this._loadSideAndNav(path, qs, loadSidebar, cb)
-        ),
-      _ => {
-        this._fetchFallbackPage(path, qs, cb) || this._fetch404(file, qs, cb);
-      }
-    );
-
-    // Load nav
-    loadNavbar &&
-      loadNested(
-        path,
-        qs,
-        loadNavbar,
-        text => this._renderNav(text),
-        this,
-        true
+    const { query } = this.route;
+    let { path } = this.route;
+
+    // Prevent loading remote content via URL hash
+    // Ex: https://foo.com/#//bar.com/file.md
+    if (isExternal(path)) {
+      history.replaceState(null, '', '#');
+      this.router.normalize();
+    } else {
+      const qs = stringifyQuery(query, ['id']);
+      const { loadNavbar, requestHeaders, loadSidebar } = this.config;
+      // Abort last request
+
+      const file = this.router.getFile(path);
+      const req = request(file + qs, true, requestHeaders);
+
+      this.isRemoteUrl = isExternal(file);
+      // Current page is html
+      this.isHTML = /\.html$/g.test(file);
+
+      // Load main content
+      req.then(
+        (text, opt) =>
+          this._renderMain(
+            text,
+            opt,
+            this._loadSideAndNav(path, qs, loadSidebar, cb)
+          ),
+        _ => {
+          this._fetchFallbackPage(path, qs, cb) || this._fetch404(file, qs, cb);
+        }
       );
+
+      // Load nav
+      loadNavbar &&
+        loadNested(
+          path,
+          qs,
+          loadNavbar,
+          text => this._renderNav(text),
+          this,
+          true
+        );
+    }
   };
 
   proto._fetchCover = function() {
