chore(release): 1.19.5 [skip ci]

## [1.19.5](v1.19.4...v1.19.5) (2021-09-19) ### Bug Fixes * **redirects:** lock down redirect attempts, fixes [#619](#619) ([544e5ea](544e5ea))
MrSwitch · Sep 19, 2021 · db93ed7 · db93ed7
1 parent 8200873
commit db93ed7
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 9 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,10 @@
+## [1.19.5](https://github.com/MrSwitch/hello.js/compare/v1.19.4...v1.19.5) (2021-09-19)
+
+
+### Bug Fixes
+
+* **redirects:** lock down redirect attempts, fixes [#619](https://github.com/MrSwitch/hello.js/issues/619) ([544e5ea](https://github.com/MrSwitch/hello.js/commit/544e5ea3876116d93689e26b2c6a0b9ad9052e14))
+
 ## [1.19.4](https://github.com/MrSwitch/hello.js/compare/v1.19.3...v1.19.4) (2021-06-24)
 
 

diff --git a/dist/hello.all.js b/dist/hello.all.js
@@ -1,4 +1,4 @@
-/*! hellojs v1.19.4 - (c) 2012-2021 Andrew Dodson - MIT https://adodson.com/hello.js/LICENSE */
+/*! hellojs v1.19.5 - (c) 2012-2021 Andrew Dodson - MIT https://adodson.com/hello.js/LICENSE */
 // ES5 Object.create
 if (!Object.create) {
 
@@ -1566,7 +1566,14 @@ hello.utils.extend(hello.utils, {
 
 		function isValidUrl(url) {
 			var regexp = /^https?:/;
-			return regexp.test(url);
+			return regexp.test(url)
+
+				// If `HELLOJS_REDIRECT_URL` is defined in the window context, validate that the URL matches it.
+				&& (
+					!Object.prototype.hasOwnProperty.call(window, 'HELLOJS_REDIRECT_URL')
+					||
+					url.match(window.HELLOJS_REDIRECT_URL)
+				);
 		}
 
 		// Trigger a callback to authenticate

diff --git a/dist/hello.all.min.js b/dist/hello.all.min.js
diff --git a/dist/hello.js b/dist/hello.js
@@ -1,4 +1,4 @@
-/*! hellojs v1.19.4 - (c) 2012-2021 Andrew Dodson - MIT https://adodson.com/hello.js/LICENSE */
+/*! hellojs v1.19.5 - (c) 2012-2021 Andrew Dodson - MIT https://adodson.com/hello.js/LICENSE */
 // ES5 Object.create
 if (!Object.create) {
 
@@ -1566,7 +1566,14 @@ hello.utils.extend(hello.utils, {
 
 		function isValidUrl(url) {
 			var regexp = /^https?:/;
-			return regexp.test(url);
+			return regexp.test(url)
+
+				// If `HELLOJS_REDIRECT_URL` is defined in the window context, validate that the URL matches it.
+				&& (
+					!Object.prototype.hasOwnProperty.call(window, 'HELLOJS_REDIRECT_URL')
+					||
+					url.match(window.HELLOJS_REDIRECT_URL)
+				);
 		}
 
 		// Trigger a callback to authenticate

diff --git a/dist/hello.min.js b/dist/hello.min.js
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "hellojs",
-  "version": "1.19.4",
+  "version": "1.19.5",
   "description": "A clientside Javascript library for standardizing requests to OAuth2 web services (and OAuth1 - with a shim)",
   "homepage": "https://adodson.com/hello.js",
   "main": "dist/hello.all.js",