From 55780fa9a8d3b95e103c5f5222f6a42e9cf278df Mon Sep 17 00:00:00 2001
From: Fuwn <contact@fuwn.net>
Date: Mon, 1 Jun 2026 12:57:57 +0000
Subject: fix(security): escape badge source/designer to close stored XSS

classifySource/classifyDesigner built <a> markup by raw-interpolating
user-controlled badge fields and rendered it via {@html}, enabling
stored XSS on public badge walls (any visitor who opened a crafted
badge). Extract them into badgeLinks.ts returning {href,label} with
http(s)-only href validation, render via escaped Svelte bindings, and
add regression tests.
---
 src/lib/User/BadgeWall/badgeLinks.ts | 56 ++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 src/lib/User/BadgeWall/badgeLinks.ts

(limited to 'src/lib/User/BadgeWall/badgeLinks.ts')

diff --git a/src/lib/User/BadgeWall/badgeLinks.ts b/src/lib/User/BadgeWall/badgeLinks.ts
new file mode 100644
index 00000000..92cbe6ce
--- /dev/null
+++ b/src/lib/User/BadgeWall/badgeLinks.ts
@@ -0,0 +1,56 @@
+export interface BadgeLink {
+	href: string | null;
+	label: string;
+}
+
+const safeHttpUrl = (value: string): string | null => {
+	try {
+		const url = new URL(value);
+
+		return url.protocol === "http:" || url.protocol === "https:" ? value : null;
+	} catch {
+		return null;
+	}
+};
+
+export const classifySource = (source: string): BadgeLink => {
+	let label = source;
+	const sourceLower = source.toLowerCase();
+
+	if (sourceLower.includes("pixiv.net")) {
+		label = "Pixiv";
+	} else if (
+		sourceLower.includes("twitter.com") ||
+		sourceLower.includes("x.com")
+	) {
+		label = "X (Twitter)";
+	} else if (sourceLower.includes("zerochan.net")) {
+		label = "Zerochan";
+	} else if (sourceLower.includes("imgur.com")) {
+		label = "Imgur";
+	} else if (sourceLower.includes("lofter.com")) {
+		label = "Lofter";
+	}
+
+	return { href: safeHttpUrl(source), label };
+};
+
+export const classifyDesigner = (designer: string): BadgeLink => {
+	let name = designer;
+	let userLink = designer;
+	const designerLower = designer.toLowerCase();
+	const anilistUser = designer.match(
+		/https?:\/\/anilist\.co\/user\/([^/]+)\/?/,
+	);
+
+	if (anilistUser) {
+		name = anilistUser[1];
+	} else if (designerLower.startsWith("@")) {
+		name = designer.replace("@", "");
+		userLink = `https://anilist.co/user/${name}/`;
+	} else if (!designerLower.startsWith("http")) {
+		userLink = `https://anilist.co/user/${name}/`;
+	}
+
+	return { href: safeHttpUrl(userLink), label: name };
+};
-- 
cgit v1.2.3