From 64517a87231af853a1d0dec3ca472d327ad50e85 Mon Sep 17 00:00:00 2001
From: zefie <zefie@zefie.net>
Date: Thu, 1 Dec 2022 06:52:08 -0500
Subject: [PATCH] more signature sanity checking - allows A links to wtvchat
 and irc, but not any form of embedding (img bgsound etc)

---
 zefie_wtvp_minisrv/includes/classes/WTVShared.js | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/zefie_wtvp_minisrv/includes/classes/WTVShared.js b/zefie_wtvp_minisrv/includes/classes/WTVShared.js
index d56e4416..071be889 100644
--- a/zefie_wtvp_minisrv/includes/classes/WTVShared.js
+++ b/zefie_wtvp_minisrv/includes/classes/WTVShared.js
@@ -240,8 +240,16 @@ class WTVShared {
                 var allowed = true;
                 Object.keys(frame.attribs).forEach((k) => {
                     if (k == "href" || k == "background" || k == "src") {
-                        allowed = false;
-                        var value = frame.attribs[k];                        
+                        allowed = false;    
+                        var value = frame.attribs[k];
+
+                        if (frame.tag !== "a") {
+                            // check everything except normal links
+                            if (value.startsWith("wtvchat") || value.startsWith("irc")) {
+                                // don't allow irc embeds
+                                return false;
+                            }
+                        }                  
                         Object.keys(allowedProtocols).forEach((j) => {
                             if (value.startsWith(allowedProtocols[j])) {
                                 allowed = true;