Merge pull request #16 from FluffyJenkins/feature/qmlWhitelistMeow

QML Whitelisting

interface/src/Application.cpp

@@ -3202,10 +3202,30 @@ void Application::initializeUi() {
     // Allow remote QML content from trusted sources ONLY
     {
         auto defaultUrlValidator = OffscreenQmlSurface::getUrlValidator();
-        auto newValidator = [=](const QUrl& url)->bool {
+        auto newValidator = [=](const QUrl& url) -> bool {
-            if (AUTHORIZED_EXTERNAL_QML_SOURCE.isParentOf(url)) {
+            QString whitelistPrefix = "[WHITELIST ENTITY SCRIPTS]";
-                return true;
+            QList<QString> safeURLS = { "" };
+            safeURLS += qEnvironmentVariable("EXTRA_WHITELIST").trimmed().split(QRegExp("\\s*,\\s*"), QString::SkipEmptyParts);
+
+            // PULL SAFEURLS FROM INTERFACE.JSON Settings
+
+            QVariant raw = Setting::Handle<QVariant>("private/settingsSafeURLS").get();
+            QStringList settingsSafeURLS = raw.toString().trimmed().split(QRegExp("\\s*[,\r\n]+\\s*"), QString::SkipEmptyParts);
+            safeURLS += settingsSafeURLS;
+
+            // END PULL SAFEURLS FROM INTERFACE.JSON Settings
+
+            bool isInWhitelist = false;  // assume unsafe
+            for (const auto& str : safeURLS) {
+                if (!str.isEmpty() && str.endsWith(".qml") && url.toString().endsWith(".qml") &&
+                    url.toString().startsWith(str)) {
+                    qCDebug(interfaceapp) << "Found matching url!" << url.host();
+                    isInWhitelist = true;
+                    return true;
+                }
             }
+
+            qCDebug(interfaceapp) << "No matching url" << url.host();
             return defaultUrlValidator(url);
         };
         OffscreenQmlSurface::setUrlValidator(newValidator);