Stricter verification of URLs

Author: maebeam

main.js

@@ -20,16 +20,34 @@ function createWindow () {
     evt.preventDefault();
   });
 
-  win.webContents.on('new-window', function(e, url) {
-    if (url.startsWith('https://identity.bitclout.com/')) {
-      return;
-    }
+  win.webContents.on('will-navigate', function(event, url) {
+    handleNavigate(win, event, url);
+  });
 
-    e.preventDefault();
-    shell.openExternal(url);
+  win.webContents.on('new-window', function(event, url) {
+    handleNavigate(win, event, url);
   });
 }
 
+function handleNavigate(win, event, url) {
+  win.setTitle(url);
+
+  // Allow bitclout-approved URLs
+  if (url.startsWith('https://bitclout.com/') || url.startsWith('https://identity.bitclout.com/')) {
+    return;
+  }
+
+  event.preventDefault();
+
+  // Only allow URLs and emails
+  if(!url.startsWith('https://') && !url.startsWith('http://') && !url.startsWith('mailto:')) {
+    return;
+  }
+
+  // Open https links in external browser
+  shell.openExternal(url);
+}
+
 app.whenReady().then(() => {
   createWindow()
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "BitClout",
-  "version": "1.0.2",
+  "version": "1.0.3",
   "description": "bitclout.com electron app",
   "main": "main.js",
   "scripts": {