Forbid subscribing to filter lists with invalid URLs

Related issue:
- https://github.com/uBlockOrigin/uBlock-issues/issues/1797

src/js/asset-viewer.js

@@ -35,6 +35,9 @@ import './codemirror/ubo-static-filtering.js';
     const assetKey = subscribeParams.get('url');
     if ( assetKey === null ) { return; }
 
+    // https://github.com/uBlockOrigin/uBlock-issues/issues/1797
+    if ( /^(file|https?):\/\//.test(assetKey) === false ) { return; }
+
     const subscribeElem = subscribeParams.get('subscribe') !== null
         ? document.getElementById('subscribe')
         : null;

src/js/messaging.js

@@ -1863,6 +1863,8 @@ const onMessage = function(request, sender, callback) {
         const hash = µb.selectedFilterLists.indexOf(request.location) !== -1
             ? '#subscribed'
             : '';
+        // https://github.com/uBlockOrigin/uBlock-issues/issues/1797
+        if ( /^(file|https?):\/\//.test(url) === false ) { break; }
         vAPI.tabs.open({
             url: `/asset-viewer.html?url=${url}&title=${title}&subscribe=1${hash}`,
             select: true,

src/js/scriptlets/subscriber.js

@@ -41,15 +41,7 @@ if ( document instanceof HTMLDocument === false ) { return; }
 // Maybe uBO has gone away meanwhile.
 if ( typeof vAPI !== 'object' || vAPI === null ) { return; }
 
-// https://github.com/easylist/EasyListHebrew/issues/89
+const onMaybeSubscriptionLinkClicked = function(target) {
-//   Ensure trusted events only.
-
-const onMaybeSubscriptionLinkClicked = function(ev) {
-    if ( ev.button !== 0 || ev.isTrusted === false ) { return; }
-
-    const target = ev.target.closest('a');
-    if ( target instanceof HTMLAnchorElement === false ) { return; }
-
     if ( vAPI instanceof Object === false ) {
         document.removeEventListener('click', onMaybeSubscriptionLinkClicked);
         return;
@@ -70,18 +62,28 @@ const onMaybeSubscriptionLinkClicked = function(ev) {
         const location = subscribeURL.searchParams.get('location') || '';
         const title = subscribeURL.searchParams.get('title') || '';
         if ( location === '' || title === '' ) { return; }
+        // https://github.com/uBlockOrigin/uBlock-issues/issues/1797
+        if ( /^(file|https?):\/\//.test(location) === false ) { return; }
         vAPI.messaging.send('scriptlets', {
             what: 'subscribeTo',
             location,
             title,
         });
-        ev.stopPropagation();
-        ev.preventDefault();
     } catch (_) {
     }
 };
 
-document.addEventListener('click', onMaybeSubscriptionLinkClicked);
+// https://github.com/easylist/EasyListHebrew/issues/89
+//   Ensure trusted events only.
+
+document.addEventListener('click', ev => {
+    if ( ev.button !== 0 || ev.isTrusted === false ) { return; }
+    const target = ev.target.closest('a');
+    if ( target instanceof HTMLAnchorElement === false ) { return; }
+    onMaybeSubscriptionLinkClicked(target);
+    ev.stopPropagation();
+    ev.preventDefault();
+});
 
 /******************************************************************************/