From 6f5882aa34f9e89772701b457a4639ceb7b2408f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89tienne=20Charignon?= <etienne.charignon@gmail.com>
Date: Wed, 18 Dec 2024 15:19:52 +0100
Subject: [PATCH] Fix incomplete URL substring sanitization

'cdn.jsdelivr.net' can be anywhere in the URL, and arbitrary hosts may come before or after it.
---
 tarteaucitron.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tarteaucitron.js b/tarteaucitron.js
index daff291b..df975e9c 100644
--- a/tarteaucitron.js
+++ b/tarteaucitron.js
@@ -204,7 +204,7 @@ var tarteaucitron = {
 
         var cdn = tarteaucitron.cdn,
             language = tarteaucitron.getLanguage(),
-            useMinifiedJS = ((cdn.indexOf('cdn.jsdelivr.net') >= 0) || (tarteaucitronPath.indexOf('.min.') >= 0) || (tarteaucitronUseMin !== '')),
+            useMinifiedJS = (new URL(cdn).host == 'cdn.jsdelivr.net') || (tarteaucitronPath.indexOf('.min.') >= 0) || (tarteaucitronUseMin !== '')),
             pathToLang = cdn + 'lang/tarteaucitron.' + language + (useMinifiedJS ? '.min' : '') + '.js',
             pathToServices = cdn + 'tarteaucitron.services' + (useMinifiedJS ? '.min' : '') + '.js',
             linkElement = document.createElement('link'),