Version 0.15.9 (#2220)

* fix: iframes javascript content (#2218)

* config: update version (#2219)

package.json

@@ -1,6 +1,6 @@
 {
   "name": "homarr",
-  "version": "0.15.8",
+  "version": "0.15.9",
   "description": "Homarr - A homepage for your server.",
   "license": "MIT",
   "repository": {
@@ -244,4 +244,4 @@
       ]
     }
   }
-}
+}

public/locales/en/widgets/error-boundary.json

@@ -7,8 +7,8 @@
     }
   },
   "modal": {
-    "text": "",
-    "label": "Your error",
-    "reportButton": "Report this error"
+    "text": "The widet crashed unexpectitly. Please read the documentation and fix any typos.",
+    "label": "Occurred error",
+    "reportButton": "Report this error on GitHub"
   }
 }

src/widgets/iframe/IFrameTile.tsx

@@ -5,6 +5,20 @@ import { useTranslation } from 'next-i18next';
 import { defineWidget } from '../helper';
 import { IWidget } from '../widgets';
 
+function sanitizeUrl(url: string) {
+  let parsedUrl: URL;
+  try {
+    parsedUrl = new URL(url);
+  } catch (e) {
+    return 'about:blank';
+  }
+  if (['http:', 'https:'].includes(parsedUrl.protocol)) {
+    return parsedUrl.href;
+  } else {
+    throw new Error(`Protocol '${parsedUrl.protocol}' is not supported. Use HTTP or HTTPS.`);
+  }
+}
+
 const definition = defineWidget({
   id: 'iframe',
   icon: IconBrowser,
@@ -116,9 +130,8 @@ function IFrameTile({ widget }: IFrameTileProps) {
   return (
     <Container h="100%" w="100%" maw="initial" mah="initial" p={0}>
       <iframe
-        sandbox="" // Disables js execution see https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox
         className={classes.iframe}
-        src={widget.properties.embedUrl}
+        src={sanitizeUrl(widget.properties.embedUrl)}
         title="widget iframe"
         allow={allowedPermissions.join(' ')}
       >