(core) Serving widget info page from home url

Summary: Custom widget into page is served from a homeUrl instead of untrusted URL, which might be not used in grist-core. Test Plan: manual test Reviewers: paulfitz Reviewed By: paulfitz Differential Revision: https://phab.getgrist.com/D3307
2026-03-02 04:09:24 +00:00 · 2022-03-07 13:58:06 +01:00
parent d2b82b84c7
commit 351d70d4fb
2 changed files with 7 additions and 3 deletions
--- a/app/server/lib/FlexServer.ts
+++ b/app/server/lib/FlexServer.ts
@@ -450,6 +450,9 @@ export class FlexServer implements GristServer {
    // Plugins get access to static resources without a tag
    this.app.use(limitToPlugins(express.static(getAppPathTo(this.appRoot, 'static'))));
    this.app.use(limitToPlugins(express.static(getAppPathTo(this.appRoot, 'bower_components'))));
+    // Serve custom-widget.html message for anyone.
+    this.app.use(/^\/(custom-widget.html)$/, expressWrap(async (req, res) =>
+      res.sendFile(req.params[0], {root: getAppPathTo(this.appRoot, 'static')})));
    this.addOrg();
    addPluginEndpoints(this, await this._addPluginManager());
  }