Bots should be able to link to non-http URIs

ahnolds

It's currently possible to embed a link in the description section (and some other sections) of an embed with the [display name](http://url.com) syntax. However, that only works for links to http pages and not other URI types. For example, it isn't possible to link to a calendar data URI object for example: data:text/calendar;charset=utf8,BEGIN%3AVCALENDAR%0AVERSION%3A2.0%0ABEGIN%3AVEVENT%0ADTSTART%3A20200528T225542Z%0ADTEND%3A20200528T225542Z%0AEND%3AVEVENT%0AEND%3AVCALENDAR

Similarly, it isn't possible to link to an ftp://uri or other types of valid address that modern browsers understand. This is coming up in particular because I'd love to have my bot be able to include calendar event links in an embed supporting both Google and ICS formatted links. The google one works since that's a standard http URI, but the ICS format (used on iOS, Outlook, iCal, basically anything that isn't Google Calendar) doesn't work.

3

Commentaires

3 commentaires

Date Votes
  • donovan_dmc

    The thing about this, people can embed malicious urls much easier with this (especially data urls)

    ex data:text/html,<script>alert("This Is Dangerous")</script>

    1
  • ahnolds

    Sure, but links are inherently always somewhat risky. Discord already has the pop-up showing where the link is taking you, so a user would get to see where they were going. It's not really any worse than getting linked to a malicious website in general IMO.

    And it would be relatively easy to either blacklist/filter out obviously bad link types (data:text/html in general, anything including <script>, etc) or to whitelist safe data types like the text/calendar example given above.

    1
  • CielRuby
    • Modifié

    Because that turns every . into a link and / is for bots, I recommend just a // double-slash requirement, without the https.
    For example //google.nl

    0

Vous devez vous connecter pour laisser un commentaire.