diff --git a/lib/Properties.hs b/lib/Properties.hs
index 4b516243990765f23c7d2a853e72127ec5132f39..345f2ba28e644d9c81629b594ba8420028561fa3 100644
--- a/lib/Properties.hs
+++ b/lib/Properties.hs
@@ -12,7 +12,7 @@ module Properties (checkMap, checkTileset, checkLayer) where
 
 
 import           Control.Monad     (forM, forM_, unless, when)
-import           Data.Text         (Text, intercalate, isPrefixOf)
+import           Data.Text         (Text, intercalate, isPrefixOf, isInfixOf)
 import qualified Data.Text         as T
 import qualified Data.Vector       as V
 import           Tiled             (Layer (..), Object (..), Property (..),
@@ -142,7 +142,8 @@ checkMapProperty p@(Property name _) = case name of
   -- scripts can be used by one map
   _ | T.toLower name == "script" ->
       unwrapString p $ \str ->
-        unless ("https://static.rc3.world/scripts" `isPrefixOf` str)
+        unless (("https://static.rc3.world/scripts" `isPrefixOf` str) &&
+                (not $ "/../" `isInfixOf` str))
         $ forbid "only scripts hosted on static.rc3.world are allowed."
     | name `elem` ["jitsiRoom", "bbbRoom", "playAudio", "openWebsite"
                   , "url", "exitUrl", "silent", "getBadge"]