Improve script url validation

author: Robert Newson <rnewson@apache.org> 2012-12-18 15:11:41 +0000
committer: Robert Newson <rnewson@apache.org> 2012-12-19 01:46:42 +0000
commit: c98a4108826d613658f2e396e6315770d026d1d2 (patch)
tree: e001b4125e18fd49001910e59eee94d5926f1229
parent: a5cabbd4e99a9ea8f5c7cca0db7b0ae0424c89dd (diff)
download: couchdb-c98a4108826d613658f2e396e6315770d026d1d2.tar.gz
1 files changed, 3 insertions, 6 deletions
diff --git a/share/www/script/couch_test_runner.js b/share/www/script/couch_test_runner.js
index b09aeab62..c04e6b1da 100644
--- a/share/www/script/couch_test_runner.js
+++ b/share/www/script/couch_test_runner.js
@@ -15,12 +15,9 @@
 
 function loadScript(url) {
   // disallow loading remote URLs
-  if((url.substr(0, 7) == "http://")
-    || (url.substr(0, 8) == "https://")
-    || (url.substr(0, 2) == "//")
-    || (url.substr(0, 5) == "data:")
-    || (url.substr(0, 11) == "javascript:")) {
-        throw "Not loading remote test scripts";
+  var re = /^[a-z0-9_]+(\/[a-z0-9_]+)*\.js#?$/;
+  if (!re.test(url)) {
+      throw "Not loading remote test scripts";
   }
   if (typeof document != "undefined") document.write('<script src="'+url+'"></script>');
 };
author	Robert Newson <rnewson@apache.org>	2012-12-18 15:11:41 +0000
committer	Robert Newson <rnewson@apache.org>	2012-12-19 01:46:42 +0000
commit	c98a4108826d613658f2e396e6315770d026d1d2 (patch)
tree	e001b4125e18fd49001910e59eee94d5926f1229
parent	a5cabbd4e99a9ea8f5c7cca0db7b0ae0424c89dd (diff)
download	couchdb-c98a4108826d613658f2e396e6315770d026d1d2.tar.gz