fix(notifications): Require absolute links for support of desktop and mobile clients

miaulalala · miaulalala · commit 11bc0d5a3971 · 2026-04-14T22:47:36.000+02:00
To align with the stricter validation introduced in nextcloud/server#59606. AI-Assisted-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Anna Larch <anna@nextcloud.com>
diff --git a/lib/NotificationGenerator.php b/lib/NotificationGenerator.php
@@ -12,6 +12,7 @@
 use OCP\Activity\IEvent;
 use OCP\Activity\IManager as ActivityManager;
 use OCP\IL10N;
+use OCP\IURLGenerator;
 use OCP\Notification\AlreadyProcessedException;
 use OCP\Notification\IManager as NotificationManager;
 use OCP\Notification\INotification;
@@ -28,9 +29,24 @@ public function __construct(
 		protected UserSettings $userSettings,
 		protected IL10N $l10n,
 		protected LoggerInterface $logger,
+		protected IURLGenerator $urlGenerator,
 	) {
 	}
 
+	private function sanitizeUrl(string $url): string {
+		if (str_starts_with($url, 'http://') || str_starts_with($url, 'https://')) {
+			return $url;
+		}
+
+		// Reject non-HTTP(S) schemes (e.g. javascript:, nc://, data:)
+		if (preg_match('/^[a-zA-Z][a-zA-Z0-9+\-.]*:/', $url)) {
+			return '';
+		}
+
+		// Relative URL — make it absolute
+		return $this->urlGenerator->getAbsoluteURL($url);
+	}
+
 	public function deferNotifications(): bool {
 		return $this->notificationManager->defer();
 	}
@@ -68,8 +84,9 @@ private function getNotificationForEvent(IEvent $event, int $activityId): INotif
 			$notification->setMessage($event->getMessage(), $event->getMessageParameters());
 		}
 
-		if ($event->getLink()) {
-			$notification->setLink($event->getLink());
+		$link = $event->getLink() ? $this->sanitizeUrl($event->getLink()) : '';
+		if ($link !== '') {
+			$notification->setLink($link);
 		}
 
 		return $notification;
@@ -127,8 +144,9 @@ private function getDisplayNotificationForEvent(IEvent $event, int $activityId):
 		$notification->setRichSubject($event->getRichSubject(), $event->getRichSubjectParameters());
 		$notification->setParsedSubject($event->getParsedSubject());
 
-		if ($event->getIcon()) {
-			$notification->setIcon($event->getIcon());
+		$icon = $event->getIcon() ? $this->sanitizeUrl($event->getIcon()) : '';
+		if ($icon !== '') {
+			$notification->setIcon($icon);
 		}
 
 		if ($event->getRichMessage()) {
