Skip to content
Snippets Groups Projects

fixed url injection by means of starting an url with "." and turning the prefix into a subdomain

1 file
+ 1
1
Compare changes
  • Side-by-side
  • Inline
+ 1
1
@@ -480,7 +480,7 @@ checkTileLayerProperty p@(Property name _value) = case name of
-> do
properties <- askContext <&> getProperties
unless (all (\(Property name value) -> case value of
StrProp str -> name /= "openWebsite" || "https://static.rc3.world" `isPrefixOf` str
StrProp str -> name /= "openWebsite" || "https://static.rc3.world/" `isPrefixOf` str
_ -> True
) properties)
$ complain "\"openWebsiteAllowApi\" can only be used with websites hosted \
Loading