From bb75f34ec3d8a47a0f4be70e4d5ee1688c4fe7ca Mon Sep 17 00:00:00 2001
From: Brett Zamir <brettz9@gmail.com>
Date: Wed, 19 Feb 2014 05:26:46 +0000
Subject: [PATCH] Require extensions to begin with "ext-" and end with ".js" to
 prevent URL-prompted loading of other files within the extPath.

git-svn-id: http://svg-edit.googlecode.com/svn/trunk@2712 eee81c28-f429-11dd-99c0-75d572ba1ddd
---
 editor/svg-editor.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/editor/svg-editor.js b/editor/svg-editor.js
index a8cad76d..881936c9 100644
--- a/editor/svg-editor.js
+++ b/editor/svg-editor.js
@@ -537,6 +537,9 @@ TO-DOS
 			var extFunc = function() {
 				$.each(curConfig.extensions, function() {
 					var extname = this;
+					if (!extname.match(/^ext-.*\.js/)) { // Ensure URL cannot specify some other unintended file in the extPath
+						return;
+					}
 					$.getScript(curConfig.extPath + extname, function(d) {
 						// Fails locally in Chrome 5
 						if (!d) {