diff options
| author | stuebinm | 2021-12-28 21:36:10 +0100 |
|---|---|---|
| committer | stuebinm | 2021-12-28 21:36:55 +0100 |
| commit | f2a68764a14fe52a4b2005bc6909572d08409394 (patch) | |
| tree | 3661c95ddd6421ee30f73b9af0951924522f1f7a | |
| parent | 921a0e893ff6addb8c79527d38d6dd057ea8df5e (diff) | |
script links can't contain @
| -rw-r--r-- | lib/Properties.hs | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/Properties.hs b/lib/Properties.hs index 46afcb9..c4fc458 100644 --- a/lib/Properties.hs +++ b/lib/Properties.hs @@ -143,7 +143,9 @@ checkMapProperty p@(Property name _) = case name of _ | T.toLower name == "script" -> unwrapString p $ \str -> unless (("https://static.rc3.world/scripts" `isPrefixOf` str) && - (not $ "/../" `isInfixOf` str)) + (not $ "/../" `isInfixOf` str) && + (not $ "%" `isInfixOf` str) && + (not $ "@" `isInfixOf` str)) $ forbid "only scripts hosted on static.rc3.world are allowed." | name `elem` ["jitsiRoom", "bbbRoom", "playAudio", "openWebsite" , "url", "exitUrl", "silent", "getBadge"] |