Closed juzim closed 7 years ago
Presumably if a user creates such a malicious fork, they would also remove this safety check?
Sure, but you would see the change in the source. Right now it's just a hidden security hole that every user has to find themselves. Also the check acceps any URL with http as a valid packtpub URL, which is just plain wrong.
Ah. It's the newsletter. Yeah, that makes sense then.
New tag: v2.2.4
If someone (maybe in a fork) creates a page with the same DOM as packtpub and supplies a newsletter URL that points there, he could make the script download malicious or spammy PDFs without the users knowledge. So it's better to check if the provided URL actually points to packtpub.