Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix an HTML injection exploit (#1210)
* Improve FixURL

* Ensure number

* Simplify
  • Loading branch information
brandonsturgeon authored and CapsAdmin committed Jul 13, 2022
1 parent d7b20ee commit 8fc9e12
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 2 deletions.
1 change: 1 addition & 0 deletions lua/pac3/core/shared/http.lua
Expand Up @@ -63,6 +63,7 @@ end

function pac.FixUrl(url)
url = url:Trim()
url = url:gsub("[\"'<>\n\\]+", "")

if url:find("dropbox", 1, true) then
url = url:gsub([[^http%://dl%.dropboxusercontent%.com/]], [[https://dl.dropboxusercontent.com/]])
Expand Down
4 changes: 2 additions & 2 deletions lua/pac3/libraries/urltex.lua
Expand Up @@ -114,7 +114,7 @@ function urltex.StartDownload(url, data)
end

url = pac.FixUrl(url)
local size = data.size or urltex.TextureSize
local size = tonumber(data.size or urltex.TextureSize)
local id = "urltex_download_" .. url
local pnl
local frames_passed = 0
Expand Down Expand Up @@ -267,4 +267,4 @@ function urltex.StartDownload(url, data)
createDownloadPanel()
end

return urltex
return urltex

0 comments on commit 8fc9e12

Please sign in to comment.