Merge commit from fork

Co-authored-by: Sabe Jones <sabe@habitica.com>

website/client/package-lock.json

@@ -23,7 +23,6 @@
         "bootstrap": "^4.6.0",
         "bootstrap-vue": "^2.23.1",
         "core-js": "^3.33.1",
-        "dompurify": "^3.0.3",
         "eslint": "7.32.0",
         "eslint-config-habitrpg": "6.2.0",
         "eslint-plugin-mocha": "5.3.0",
@@ -5389,11 +5388,6 @@
         "url": "https://github.com/fb55/domhandler?sponsor=1"
       }
     },
-    "node_modules/dompurify": {
-      "version": "3.0.6",
-      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.0.6.tgz",
-      "integrity": "sha512-ilkD8YEnnGh1zJ240uJsW7AzE+2qpbOUYjacomn3AvJ6J4JhKGSZ2nh4wUIXPZrEPppaCLx5jFe8T89Rk8tQ7w=="
-    },
     "node_modules/domutils": {
       "version": "2.8.0",
       "resolved": "https://registry.npmjs.org/domutils/-/domutils-2.8.0.tgz",

website/client/package.json

@@ -25,7 +25,6 @@
     "bootstrap": "^4.6.0",
     "bootstrap-vue": "^2.23.1",
     "core-js": "^3.33.1",
-    "dompurify": "^3.0.3",
     "eslint": "7.32.0",
     "eslint-config-habitrpg": "6.2.0",
     "eslint-plugin-mocha": "5.3.0",

website/client/src/components/auth/registerLoginReset.vue

@@ -608,10 +608,9 @@ import axios from 'axios';
 import hello from 'hellojs';
 import debounce from 'lodash/debounce';
 import isEmail from 'validator/es/lib/isEmail';
-import DOMPurify from 'dompurify';
 import { MINIMUM_PASSWORD_LENGTH } from '@/../../common/script/constants';
 import { buildAppleAuthUrl } from '../../libs/auth';
-
+import sanitizeRedirect from '@/mixins/sanitizeRedirect';
 import exclamation from '@/assets/svg/exclamation.svg';
 import gryphon from '@/assets/svg/gryphon.svg';
 import habiticaIcon from '@/assets/svg/logo-horizontal.svg';
@@ -619,6 +618,7 @@ import googleIcon from '@/assets/svg/google.svg';
 import appleIcon from '@/assets/svg/apple_black.svg';
 
 export default {
+  mixins: [sanitizeRedirect],
   data () {
     const data = {
       username: '',
@@ -747,11 +747,6 @@ export default {
         }
       });
     }, 500),
-    sanitizeRedirect (redirect) {
-      if (!redirect) return '/';
-      const sanitizedString = DOMPurify.sanitize(redirect).replace(/\\|\/\/|\./g, '');
-      return sanitizedString;
-    },
     async register () {
       // @TODO do not use alert
       if (!this.email) {

website/client/src/components/static/home.vue

@@ -784,6 +784,7 @@ import debounce from 'lodash/debounce';
 import isEmail from 'validator/es/lib/isEmail';
 import { MINIMUM_PASSWORD_LENGTH } from '@/../../common/script/constants';
 import { buildAppleAuthUrl } from '../../libs/auth';
+import sanitizeRedirect from '@/mixins/sanitizeRedirect';
 import googlePlay from '@/assets/images/home/google-play-badge.svg';
 import iosAppStore from '@/assets/images/home/ios-app-store.svg';
 import iphones from '@/assets/images/home/iphones.svg';
@@ -804,6 +805,7 @@ import makeuseof from '@/assets/images/home/make-use-of.svg';
 import thenewyorktimes from '@/assets/images/home/the-new-york-times.svg';
 
 export default {
+  mixins: [sanitizeRedirect],
   data () {
     return {
       icons: Object.freeze({
@@ -923,7 +925,9 @@ export default {
         groupInvite,
       });
 
-      window.location.href = this.$route.query.redirectTo || '/';
+      const redirect = this.sanitizeRedirect(this.$route.query.redirectTo);
+
+      window.location.href = redirect;
     },
     playButtonClick () {
       this.$router.push('/register');

website/client/src/mixins/sanitizeRedirect.js

@@ -0,0 +1,16 @@
+export default {
+  methods: {
+    sanitizeRedirect (redirect) {
+      if (!redirect) {
+        return '/';
+      }
+      if (process.env.TRUSTED_DOMAINS.split(',').includes(redirect)) {
+        return redirect;
+      }
+      if (redirect.slice(0, 1) !== '/' || redirect.slice(1, 1) === '/') {
+        return '/';
+      }
+      return redirect;
+    },
+  },
+};