From 07bb1db91b6d775244190541f8bfd53835c404a6 Mon Sep 17 00:00:00 2001
From: stuebinm <stuebinm@disroot.org>
Date: Mon, 20 Dec 2021 00:28:00 +0100
Subject: [PATCH] forbid opening local html files in iframes

---
 lib/Properties.hs | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/Properties.hs b/lib/Properties.hs
index 797a1d7..05020f5 100644
--- a/lib/Properties.hs
+++ b/lib/Properties.hs
@@ -225,7 +225,9 @@ checkLayer = do
 
 checkObjectProperty :: Object -> Property -> LintWriter Layer
 checkObjectProperty obj p@(Property name _) = case name of
-  "url" -> pure ()
+  "url" -> unwrapURI (Proxy @"website") p
+    (dependsOn . Link)
+    (const $ forbid "using \"url\" to open local html files is disallowed.")
   "allowApi" -> forbidProperty name
   "getBadge" -> do
     when (1 /= length (getProperties obj))
@@ -329,7 +331,7 @@ checkTileLayerProperty p@(Property name _value) = case name of
       suggestProperty $ Property "openWebsiteTrigger" (StrProp "onaction")
       unwrapURI (Proxy @"website") p
         (dependsOn . Link)
-        (dependsOn . Local)
+        (const $ forbid "using openWebsite to access local html files is disallowed.")
     "openWebsiteTrigger" -> do
       isString p
       requireProperty "openWebsite"
-- 
GitLab