Fix incomplete URL substring sanitization

'cdn.jsdelivr.net' can be anywhere in the URL, and arbitrary hosts may come before or after it.
AmauriC · Dec 18, 2024 · 6f5882a · 6f5882a
1 parent 2425c40
commit 6f5882a
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/tarteaucitron.js b/tarteaucitron.js
@@ -204,7 +204,7 @@ var tarteaucitron = {
 
         var cdn = tarteaucitron.cdn,
             language = tarteaucitron.getLanguage(),
-            useMinifiedJS = ((cdn.indexOf('cdn.jsdelivr.net') >= 0) || (tarteaucitronPath.indexOf('.min.') >= 0) || (tarteaucitronUseMin !== '')),
+            useMinifiedJS = (new URL(cdn).host == 'cdn.jsdelivr.net') || (tarteaucitronPath.indexOf('.min.') >= 0) || (tarteaucitronUseMin !== '')),
             pathToLang = cdn + 'lang/tarteaucitron.' + language + (useMinifiedJS ? '.min' : '') + '.js',
             pathToServices = cdn + 'tarteaucitron.services' + (useMinifiedJS ? '.min' : '') + '.js',
             linkElement = document.createElement('link'),