From 5b1fe362589b9ce6aa36e2df6fda4b3165bcdb32 Mon Sep 17 00:00:00 2001
From: jonathan <jonathanheindl@gmx.de>
Date: Tue, 28 Dec 2021 21:21:25 +0000
Subject: [PATCH] fixed url injection by means of starting an url with "." and
 turning the prefix into a subdomain

---
 lib/Properties.hs | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/Properties.hs b/lib/Properties.hs
index 35c4ce4..31823e6 100644
--- a/lib/Properties.hs
+++ b/lib/Properties.hs
@@ -497,7 +497,14 @@ checkTileThing removeExits p@(Property name _value) = case name of
         -> forbidProperty name
         -- the openWebsite Api can only be allowed if the website is on static.rc3.world
       | T.toLower name == "openwebsiteallowapi"
-        -> forbid "\"openWebsiteAllowApi\" is disallowed."
+        -> do
+          properties <- askContext <&> getProperties
+          unless (all (\(Property name value) -> case value of
+                          StrProp str -> name /= "openWebsite" || "https://static.rc3.world/" `isPrefixOf` str
+                          _ -> True
+                      ) properties)
+            $ complain "\"openWebsiteAllowApi\" can only be used with websites hosted \
+                       \on https://static.rc3.world"
       | name `elem` [ "openWebsite", "openTab" ] -> do
           uselessEmptyLayer
           suggestProperty $ Property "openWebsiteTrigger" (StrProp "onaction")
-- 
GitLab