| 29 | }) |
| 30 | }, |
| 31 | isGoodLink = link => { |
| 32 | if (typeof link !== "string" || (link.split("#")[0] == location.href.split("#")[0] && !isGoodLink_allowSelf)) { |
| 33 | return false |
| 34 | } |
| 35 | try { |
| 36 | let u = new URL(decodeURI(link).trim().toLocaleLowerCase()) |
| 37 | //check if host is a private/internal ip |
| 38 | if (u.hostname === 'localhost' || u.hostname === '[::1]' || /^127(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}$/.test(u.hostname)) { |
| 39 | return false |
| 40 | } |
| 41 | var parts = u.hostname.split('.'); |
| 42 | if (parts[0] === '10' || (parts[0] === '172' && (parseInt(parts[1], 10) >= 16 && parseInt(parts[1], 10) <= 31)) || (parts[0] === '192' && parts[1] === '168')) { |
| 43 | return false |
| 44 | } |
| 45 | // Check if protocol is safe |
| 46 | let safeProtocols = ["http:", "https:", "mailto:", "irc:", "telnet:", "tel:", "svn:"] |
| 47 | if (!safeProtocols.includes(u.protocol)) { |
| 48 | return false |
| 49 | } |
| 50 | } |
| 51 | catch (e) { |
| 52 | return false |
| 53 | } |
| 54 | return true |
| 55 | }, |
| 56 | unsafelyAssign = target => { |
| 57 | navigated = true |
| 58 | window.onbeforeunload = null |
no outgoing calls
no test coverage detected