| 1 | 1 | | function error(text) { |
| | 2 | + | document.querySelector(".form").style.display = "none"; |
| 2 | 3 | | document.querySelector(".error").style.display = "inherit"; |
| 3 | 4 | | document.querySelector("#errortext").innerText = `Error: ${text}`; |
| 4 | 5 | | } |
| 5 | 6 | | |
| 6 | 7 | | // Run when the <body> loads |
| 7 | | - | async function main() { |
| | 8 | + | function main() { |
| | 9 | + | document.querySelector(".form").style.display = "inherit"; |
| | 10 | + | document.querySelector("#password").value = ""; |
| | 11 | + | document.querySelector(".error").style.display = "none"; |
| | 12 | + | document.querySelector("#errortext").innerText = ""; |
| | 13 | + | |
| 8 | 14 | | if (window.location.hash) { |
| 9 | 15 | | // Fail if the b64 library or API was not loaded |
| 10 | 16 | | if (!("b64" in window)) { |
| skipped 37 lines |
| 48 | 54 | | let hint, password; |
| 49 | 55 | | if ("h" in params) { |
| 50 | 56 | | hint = params["h"]; |
| 51 | | - | password = prompt(`Please enter the password to unlock the link.\n\nHint: ${hint}`); |
| 52 | | - | } else { |
| 53 | | - | password = prompt("Please enter the password to unlock the link."); |
| | 57 | + | document.querySelector("#hint").innerText = "Hint: " + hint; |
| 54 | 58 | | } |
| 55 | 59 | | |
| 56 | | - | // Decrypt and redirect if possible |
| 57 | | - | let url; |
| 58 | | - | try { |
| 59 | | - | url = await api.decrypt(encrypted, password, salt, iv); |
| 60 | | - | } catch { |
| 61 | | - | // Password is incorrect. |
| 62 | | - | error("Password is incorrect."); |
| | 60 | + | document.querySelector("#unlockbutton").addEventListener("click", async () => { |
| | 61 | + | password = document.querySelector("#password").value; |
| 63 | 62 | | |
| 64 | | - | // Set the "decrypt without redirect" URL appropriately |
| 65 | | - | document.querySelector("#no-redirect").href = |
| 66 | | - | `https://jstrieb.github.io/link-lock/decrypt/#${hash}`; |
| 67 | | - | |
| 68 | | - | // Set the "create hidden bookmark" URL appropriately |
| 69 | | - | document.querySelector("#hidden").href = |
| 70 | | - | `https://jstrieb.github.io/link-lock/hidden/#${hash}`; |
| 71 | | - | return; |
| 72 | | - | } |
| | 63 | + | // Decrypt and redirect if possible |
| | 64 | + | let url; |
| | 65 | + | try { |
| | 66 | + | url = await api.decrypt(encrypted, password, salt, iv); |
| | 67 | + | } catch { |
| | 68 | + | // Password is incorrect. |
| | 69 | + | error("Password is incorrect."); |
| 73 | 70 | | |
| 74 | | - | try { |
| 75 | | - | // Extra check to make sure the URL is valid. Probably shouldn't fail. |
| 76 | | - | let urlObj = new URL(url); |
| | 71 | + | // Set the "decrypt without redirect" URL appropriately |
| | 72 | + | document.querySelector("#no-redirect").href = |
| | 73 | + | `https://jstrieb.github.io/link-lock/decrypt/#${hash}`; |
| 77 | 74 | | |
| 78 | | - | // Prevent XSS by making sure only HTTP URLs are used. Also allow magnet |
| 79 | | - | // links for password-protected torrents. |
| 80 | | - | if (!(urlObj.protocol == "http:" |
| 81 | | - | || urlObj.protocol == "https:" |
| 82 | | - | || urlObj.protocol == "magnet:")) { |
| 83 | | - | error(`The link uses a non-hypertext protocol, which is not allowed. ` |
| 84 | | - | + `The URL begins with "${urlObj.protocol}" and may be malicious.`); |
| | 75 | + | // Set the "create hidden bookmark" URL appropriately |
| | 76 | + | document.querySelector("#hidden").href = |
| | 77 | + | `https://jstrieb.github.io/link-lock/hidden/#${hash}`; |
| 85 | 78 | | return; |
| 86 | 79 | | } |
| 87 | 80 | | |
| 88 | | - | // IMPORTANT NOTE: must use window.location.href instead of the (in my |
| 89 | | - | // opinion more proper) window.location.replace. If you use replace, it |
| 90 | | - | // causes Chrome to change the icon of a bookmarked link to update it to |
| 91 | | - | // the unlocked destination. This is dangerous information leakage. |
| 92 | | - | window.location.href = url; |
| 93 | | - | } catch { |
| 94 | | - | error("A corrupted URL was encrypted. Cannot redirect."); |
| 95 | | - | console.log(url); |
| 96 | | - | return; |
| 97 | | - | } |
| | 81 | + | try { |
| | 82 | + | // Extra check to make sure the URL is valid. Probably shouldn't fail. |
| | 83 | + | let urlObj = new URL(url); |
| | 84 | + | |
| | 85 | + | // Prevent XSS by making sure only HTTP URLs are used. Also allow magnet |
| | 86 | + | // links for password-protected torrents. |
| | 87 | + | if (!(urlObj.protocol == "http:" |
| | 88 | + | || urlObj.protocol == "https:" |
| | 89 | + | || urlObj.protocol == "magnet:")) { |
| | 90 | + | error(`The link uses a non-hypertext protocol, which is not allowed. ` |
| | 91 | + | + `The URL begins with "${urlObj.protocol}" and may be malicious.`); |
| | 92 | + | return; |
| | 93 | + | } |
| | 94 | + | |
| | 95 | + | // IMPORTANT NOTE: must use window.location.href instead of the (in my |
| | 96 | + | // opinion more proper) window.location.replace. If you use replace, it |
| | 97 | + | // causes Chrome to change the icon of a bookmarked link to update it to |
| | 98 | + | // the unlocked destination. This is dangerous information leakage. |
| | 99 | + | window.location.href = url; |
| | 100 | + | } catch { |
| | 101 | + | error("A corrupted URL was encrypted. Cannot redirect."); |
| | 102 | + | console.log(url); |
| | 103 | + | return; |
| | 104 | + | } |
| | 105 | + | }); |
| 98 | 106 | | } else { |
| 99 | 107 | | // Otherwise redirect to the creator |
| 100 | 108 | | window.location.replace("./create"); |
| skipped 3 lines |
Jacob Strieb
committed
1 year ago
1 parent 2815b229