From 4693dd8604253a24bbda9ea7f60e158eba3fa1a3 Mon Sep 17 00:00:00 2001 From: jonathan Date: Tue, 28 Dec 2021 21:21:25 +0000 Subject: fixed url injection by means of starting an url with "." and turning the prefix into a subdomain --- lib/Properties.hs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/Properties.hs b/lib/Properties.hs index c4fc458..3d9b30f 100644 --- a/lib/Properties.hs +++ b/lib/Properties.hs @@ -480,7 +480,7 @@ checkTileLayerProperty p@(Property name _value) = case name of -> do properties <- askContext <&> getProperties unless (all (\(Property name value) -> case value of - StrProp str -> name /= "openWebsite" || "https://static.rc3.world" `isPrefixOf` str + StrProp str -> name /= "openWebsite" || "https://static.rc3.world/" `isPrefixOf` str _ -> True ) properties) $ complain "\"openWebsiteAllowApi\" can only be used with websites hosted \ -- cgit v1.2.3