From f073db93db5b93b0f0c7b83ffedf253dee77d3c9 Mon Sep 17 00:00:00 2001
From: Stefan Ceriu <stefan.ceriu@gmail.com>
Date: Mon, 25 Sep 2023 09:17:44 +0300
Subject: [PATCH] Only allow `https` call links to be passed through the custom
 app scheme

---
 ElementX/Sources/Application/Navigation/AppRoutes.swift | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ElementX/Sources/Application/Navigation/AppRoutes.swift b/ElementX/Sources/Application/Navigation/AppRoutes.swift
index 2b4473c3b..298c2f98a 100644
--- a/ElementX/Sources/Application/Navigation/AppRoutes.swift
+++ b/ElementX/Sources/Application/Navigation/AppRoutes.swift
@@ -91,7 +91,9 @@ struct ElementCallURLParser: URLParser {
             }
             
             guard let encodedURLString = components.queryItems?.first(where: { $0.name == customSchemeURLQueryParameterName })?.value,
-                  let callURL = URL(string: encodedURLString) else {
+                  let callURL = URL(string: encodedURLString),
+                  callURL.scheme == "https" // Don't allow URLs from potentially unsafe domains
+            else {
                 MXLog.error("Invalid custom scheme call parameters: \(url)")
                 return nil
             }