Skip to content

Feat: extend image validity check to inlcude nui URIs#84

Open
Maximus7474 wants to merge 3 commits intoCommunityOx:mainfrom
Maximus7474:feat/validate-uri-schemes
Open

Feat: extend image validity check to inlcude nui URIs#84
Maximus7474 wants to merge 3 commits intoCommunityOx:mainfrom
Maximus7474:feat/validate-uri-schemes

Conversation

@Maximus7474
Copy link
Member

@Maximus7474 Maximus7474 commented Feb 23, 2026

This pull request extends the check made by the server utility function Utils.IsValidImageUrl to also allow nui URI as imageurl in item metadata when the moderation log is enabled, it splits the check into two steps checking first if it's an nui URI then if it's a valid URL.

This PR addresses #58 issue, opens the door for easier freedom of use even if it doesn't seem like many servers use the feature.
Could be considered to have the validity check being always listed or as a separate convar to enable.

To be noted, this module requires some more attention, the valid hosts element for URL image checks still only lists 'imgur' as default valid source and needs changing being that imgur links do not function within nui.

My recommendation is to alter it to have a blacklist and a whitelist module, blacklisting by default discord and imgur urls (both do not work for fivem) and having an empty whitelist hash table. If there aren't any values for whitelisted domains

Example implementation:

local blacklistedHosts = { 'i.imgur.com', 'cdn.discordapp.com' }
local whitelistedHosts = { 'i.ibb.co' }

---@param host string
---@return boolean
local function isHostValid(host)
    -- Requires at least one whitelisted host to enforce
    if #whitelistedHosts > 0 then
        return table.contains(whitelistedHosts, host)
    else -- fallback to blacklisted domains, check that it isn't included
        return not table.contains(blacklistedHosts, host)
    end
end

@Maximus7474 Maximus7474 requested a review from FjamZoo February 25, 2026 11:04
@Maximus7474 Maximus7474 self-assigned this Feb 25, 2026
@Maximus7474 Maximus7474 added bug Something isn't working enhancement New feature or request labels Feb 25, 2026
FjamZoo
FjamZoo previously approved these changes Feb 25, 2026
View reviewed changes
@Maximus7474
Copy link
Member Author

Maximus7474 commented Feb 25, 2026

@FjamZoo any opinion on the whitelist blacklisting of urls ?
Also is possible to use a conVar to set the allowed hosts.

@FjamZoo
Copy link

FjamZoo commented Feb 25, 2026

@FjamZoo any opinion on the whitelist blacklisting of urls ? Also is possible to use a conVar to set the allowed hosts.

It looks pretty good as is, and yes we would need to make this happen through convars like most other configurations inside of ox_inventory.

@Maximus7474
Copy link
Member Author

Maximus7474 commented Feb 25, 2026

I'll add it to this PR with it being in the same scope.

@Maximus7474
Copy link
Member Author

Maximus7474 commented Feb 26, 2026

Would it be better to always have the valid img url checks even if no webhook ? Have it at least log in the console when an invalid use occurs ?

https://github.com/CommunityOx/ox_inventory/blob/main/modules/items/server.lua#L235-L242
https://github.com/CommunityOx/ox_inventory/blob/main/modules/inventory/server.lua#L1039-L1046

@Maximus7474 Maximus7474 marked this pull request as ready for review February 26, 2026 10:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@FjamZoo FjamZoo FjamZoo left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@Maximus7474 Maximus7474

Labels

bug Something isn't working enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Maximus7474 @FjamZoo