Make hidden hashes disabled by default

2020-02-10 10:46:20 +01:00 · 2020-02-10 10:46:20 +01:00 · 4d2538c796
parent 7d0dbe5d09
commit 4d2538c796
4 changed files with 7 additions and 6 deletions
--- a/www/common/common-ui-elements.js
+++ b/www/common/common-ui-elements.js
@ -657,7 +657,7 @@ define([
                                // Use hidden hash if needed (we're an owner of this pad so we know it is stored)
                                var useUnsafe = Util.find(priv, ['settings', 'security', 'unsafeLinks']);
                                var href = (priv.readOnly && data.roHref) ? data.roHref : data.href;
-                                if (!useUnsafe) {
+                                if (useUnsafe === false) {
                                    var newParsed = Hash.parsePadUrl(href);
                                    var newSecret = Hash.getSecrets(newParsed.type, newParsed.hash, newPass);
                                    var newHash = Hash.getHiddenHashFromKeys(parsed.type, newSecret, {});
--- a/www/common/drive-ui.js
+++ b/www/common/drive-ui.js
@ -1037,7 +1037,7 @@ define([
            var href = isRo ? data.roHref : (data.href || data.roHref);
            var priv = metadataMgr.getPrivateData();
            var useUnsafe = Util.find(priv, ['settings', 'security', 'unsafeLinks']);
-            if (useUnsafe) {
+            if (useUnsafe !== false) { // true of undefined: use unsafe links
                return void window.open(APP.origin + href);
            }

--- a/www/common/sframe-common-outer.js
+++ b/www/common/sframe-common-outer.js
@ -646,7 +646,7 @@ define([
                        var opts = parsed.getOptions();
                        var hash = Utils.Hash.getHiddenHashFromKeys(parsed.type, secret, opts);
                        var useUnsafe = Utils.Util.find(settings, ['security', 'unsafeLinks']);
-                        if (!useUnsafe && window.history && window.history.replaceState) {
+                        if (useUnsafe === false && window.history && window.history.replaceState) {
                            if (!/^#/.test(hash)) { hash = '#' + hash; }
                            window.history.replaceState({}, window.document.title, hash);
                        }
@ -684,7 +684,7 @@ define([
                        var opts = parsed.getOptions();
                        var hash = Utils.Hash.getHiddenHashFromKeys(parsed.type, secret, opts);
                        var useUnsafe = Utils.Util.find(settings, ['security', 'unsafeLinks']);
-                        if (!useUnsafe && window.history && window.history.replaceState) {
+                        if (useUnsafe === false && window.history && window.history.replaceState) {
                            if (!/^#/.test(hash)) { hash = '#' + hash; }
                            window.history.replaceState({}, window.document.title, hash);
                        }
--- a/www/settings/inner.js
+++ b/www/settings/inner.js
@ -573,10 +573,11 @@ define([

        var $cbox = $(UI.createCheckbox('cp-settings-safe-links',
                                   Messages.settings_safeLinksCheckbox,
-                                   true, { label: {class: 'noTitle'} }));
+                                   false, { label: {class: 'noTitle'} }));

        var spinner = UI.makeSpinner($cbox);

+        // Checkbox: "Enable safe links"
        var $checkbox = $cbox.find('input').on('change', function () {
            spinner.spin();
            var val = !$checkbox.is(':checked');
@ -587,7 +588,7 @@ define([

        common.getAttribute(['security', 'unsafeLinks'], function (e, val) {
            if (e) { return void console.error(e); }
-            if (!val) {
+            if (val === false) {
                $checkbox.attr('checked', 'checked');
            }
        });