diff options
author | jonathan | 2021-12-28 21:21:25 +0000 |
---|---|---|
committer | stuebinm | 2022-01-02 01:55:49 +0100 |
commit | 4693dd8604253a24bbda9ea7f60e158eba3fa1a3 (patch) | |
tree | 793c04fbe79ad5c85ee3d90595d19d9e516c99a5 /lib | |
parent | 520e94e98f4c03bc738c4903ac53b83b08beb975 (diff) |
fixed url injection by means of starting an url with "." and turning the prefix into a subdomain
Diffstat (limited to 'lib')
-rw-r--r-- | lib/Properties.hs | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/Properties.hs b/lib/Properties.hs index c4fc458..3d9b30f 100644 --- a/lib/Properties.hs +++ b/lib/Properties.hs @@ -480,7 +480,7 @@ checkTileLayerProperty p@(Property name _value) = case name of -> do properties <- askContext <&> getProperties unless (all (\(Property name value) -> case value of - StrProp str -> name /= "openWebsite" || "https://static.rc3.world" `isPrefixOf` str + StrProp str -> name /= "openWebsite" || "https://static.rc3.world/" `isPrefixOf` str _ -> True ) properties) $ complain "\"openWebsiteAllowApi\" can only be used with websites hosted \ |