Fix incomplete URL substring sanitization

etienneCharignon · etienneCharignon · commit 5cce5a3ad50a · 2024-12-18T17:34:37.000+01:00
'cdn.jsdelivr.net' can be anywhere in the URL, and arbitrary hosts may come before or after it.
diff --git a/public/pro/tarteaucitron/tarteaucitron.js b/public/pro/tarteaucitron/tarteaucitron.js
@@ -204,7 +204,7 @@ var tarteaucitron = {
 
         var cdn = tarteaucitron.cdn,
             language = tarteaucitron.getLanguage(),
-            useMinifiedJS = ((cdn.indexOf('cdn.jsdelivr.net') >= 0) || (tarteaucitronPath.indexOf('.min.') >= 0) || (tarteaucitronUseMin !== '')),
+            useMinifiedJS = ((new URL(cdn).host == 'cdn.jsdelivr.net') || (tarteaucitronPath.indexOf('.min.') >= 0) || (tarteaucitronUseMin !== '')),
             pathToLang = cdn + 'lang/tarteaucitron.' + language + (useMinifiedJS ? '.min' : '') + '.js',
             pathToServices = cdn + 'tarteaucitron.services' + (useMinifiedJS ? '.min' : '') + '.js',
             linkElement = document.createElement('link'),
