1 | 1 | | function error(text) { |
| 2 | + | document.querySelector(".form").style.display = "none"; |
2 | 3 | | document.querySelector(".error").style.display = "inherit"; |
3 | 4 | | document.querySelector("#errortext").innerText = `Error: ${text}`; |
4 | 5 | | } |
5 | 6 | | |
6 | 7 | | // Run when the <body> loads |
7 | | - | async function main() { |
| 8 | + | function main() { |
| 9 | + | document.querySelector(".form").style.display = "inherit"; |
| 10 | + | document.querySelector("#password").value = ""; |
| 11 | + | document.querySelector(".error").style.display = "none"; |
| 12 | + | document.querySelector("#errortext").innerText = ""; |
| 13 | + | |
8 | 14 | | if (window.location.hash) { |
9 | 15 | | // Fail if the b64 library or API was not loaded |
10 | 16 | | if (!("b64" in window)) { |
| skipped 37 lines |
48 | 54 | | let hint, password; |
49 | 55 | | if ("h" in params) { |
50 | 56 | | hint = params["h"]; |
51 | | - | password = prompt(`Please enter the password to unlock the link.\n\nHint: ${hint}`); |
52 | | - | } else { |
53 | | - | password = prompt("Please enter the password to unlock the link."); |
| 57 | + | document.querySelector("#hint").innerText = "Hint: " + hint; |
54 | 58 | | } |
55 | 59 | | |
56 | | - | // Decrypt and redirect if possible |
57 | | - | let url; |
58 | | - | try { |
59 | | - | url = await api.decrypt(encrypted, password, salt, iv); |
60 | | - | } catch { |
61 | | - | // Password is incorrect. |
62 | | - | error("Password is incorrect."); |
| 60 | + | document.querySelector("#unlockbutton").addEventListener("click", async () => { |
| 61 | + | password = document.querySelector("#password").value; |
63 | 62 | | |
64 | | - | // Set the "decrypt without redirect" URL appropriately |
65 | | - | document.querySelector("#no-redirect").href = |
66 | | - | `https://jstrieb.github.io/link-lock/decrypt/#${hash}`; |
67 | | - | |
68 | | - | // Set the "create hidden bookmark" URL appropriately |
69 | | - | document.querySelector("#hidden").href = |
70 | | - | `https://jstrieb.github.io/link-lock/hidden/#${hash}`; |
71 | | - | return; |
72 | | - | } |
| 63 | + | // Decrypt and redirect if possible |
| 64 | + | let url; |
| 65 | + | try { |
| 66 | + | url = await api.decrypt(encrypted, password, salt, iv); |
| 67 | + | } catch { |
| 68 | + | // Password is incorrect. |
| 69 | + | error("Password is incorrect."); |
73 | 70 | | |
74 | | - | try { |
75 | | - | // Extra check to make sure the URL is valid. Probably shouldn't fail. |
76 | | - | let urlObj = new URL(url); |
| 71 | + | // Set the "decrypt without redirect" URL appropriately |
| 72 | + | document.querySelector("#no-redirect").href = |
| 73 | + | `https://jstrieb.github.io/link-lock/decrypt/#${hash}`; |
77 | 74 | | |
78 | | - | // Prevent XSS by making sure only HTTP URLs are used. Also allow magnet |
79 | | - | // links for password-protected torrents. |
80 | | - | if (!(urlObj.protocol == "http:" |
81 | | - | || urlObj.protocol == "https:" |
82 | | - | || urlObj.protocol == "magnet:")) { |
83 | | - | error(`The link uses a non-hypertext protocol, which is not allowed. ` |
84 | | - | + `The URL begins with "${urlObj.protocol}" and may be malicious.`); |
| 75 | + | // Set the "create hidden bookmark" URL appropriately |
| 76 | + | document.querySelector("#hidden").href = |
| 77 | + | `https://jstrieb.github.io/link-lock/hidden/#${hash}`; |
85 | 78 | | return; |
86 | 79 | | } |
87 | 80 | | |
88 | | - | // IMPORTANT NOTE: must use window.location.href instead of the (in my |
89 | | - | // opinion more proper) window.location.replace. If you use replace, it |
90 | | - | // causes Chrome to change the icon of a bookmarked link to update it to |
91 | | - | // the unlocked destination. This is dangerous information leakage. |
92 | | - | window.location.href = url; |
93 | | - | } catch { |
94 | | - | error("A corrupted URL was encrypted. Cannot redirect."); |
95 | | - | console.log(url); |
96 | | - | return; |
97 | | - | } |
| 81 | + | try { |
| 82 | + | // Extra check to make sure the URL is valid. Probably shouldn't fail. |
| 83 | + | let urlObj = new URL(url); |
| 84 | + | |
| 85 | + | // Prevent XSS by making sure only HTTP URLs are used. Also allow magnet |
| 86 | + | // links for password-protected torrents. |
| 87 | + | if (!(urlObj.protocol == "http:" |
| 88 | + | || urlObj.protocol == "https:" |
| 89 | + | || urlObj.protocol == "magnet:")) { |
| 90 | + | error(`The link uses a non-hypertext protocol, which is not allowed. ` |
| 91 | + | + `The URL begins with "${urlObj.protocol}" and may be malicious.`); |
| 92 | + | return; |
| 93 | + | } |
| 94 | + | |
| 95 | + | // IMPORTANT NOTE: must use window.location.href instead of the (in my |
| 96 | + | // opinion more proper) window.location.replace. If you use replace, it |
| 97 | + | // causes Chrome to change the icon of a bookmarked link to update it to |
| 98 | + | // the unlocked destination. This is dangerous information leakage. |
| 99 | + | window.location.href = url; |
| 100 | + | } catch { |
| 101 | + | error("A corrupted URL was encrypted. Cannot redirect."); |
| 102 | + | console.log(url); |
| 103 | + | return; |
| 104 | + | } |
| 105 | + | }); |
98 | 106 | | } else { |
99 | 107 | | // Otherwise redirect to the creator |
100 | 108 | | window.location.replace("./create"); |
| skipped 3 lines |