From efaf4fbbda17198a14e0c0d9c86f53142e1d89ca Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Thu, 23 Apr 2020 15:22:54 -0600 Subject: [PATCH] Decode dollar signs in safe widget URLs before rendering/templating Fixes https://github.com/vector-im/riot-web/issues/13344 --- src/components/views/elements/AppTile.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/components/views/elements/AppTile.js b/src/components/views/elements/AppTile.js index 60382b5606..bf9054771c 100644 --- a/src/components/views/elements/AppTile.js +++ b/src/components/views/elements/AppTile.js @@ -636,7 +636,10 @@ export default class AppTile extends React.Component { if (ALLOWED_APP_URL_SCHEMES.includes(parsedWidgetUrl.protocol)) { safeWidgetUrl = url.format(parsedWidgetUrl); } - return safeWidgetUrl; + + // Replace all the dollar signs back to dollar signs as they don't affect HTTP at all. + // We also need the dollar signs in-tact for variable substitution. + return safeWidgetUrl.replace(/%24/g, '$'); } _getTileTitle() {