From db398b7850782bd0942ffd58c2a3889d9f3ef8df Mon Sep 17 00:00:00 2001
From: Stephen Birarda <commit@birarda.com>
Date: Mon, 23 Jan 2017 13:36:02 -0800
Subject: [PATCH] check URL host for script whitelist, not startsWith

---
 libraries/entities/src/EntityTree.cpp | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libraries/entities/src/EntityTree.cpp b/libraries/entities/src/EntityTree.cpp
index 4796dda671..fdf95d2775 100644
--- a/libraries/entities/src/EntityTree.cpp
+++ b/libraries/entities/src/EntityTree.cpp
@@ -958,9 +958,12 @@ int EntityTree::processEditPacketData(ReceivedMessage& message, const unsigned c
 
             if (validEditPacket && !_entityScriptSourceWhitelist.isEmpty() && !properties.getScript().isEmpty()) {
                 bool passedWhiteList = false;
-                auto entityScript = properties.getScript();
+
+                // grab a URL representation of the entity script so we can check the host for this script
+                auto entityScriptURL = QUrl::fromUserInput(properties.getScript());
+
                 for (const auto& whiteListedPrefix : _entityScriptSourceWhitelist) {
-                    if (entityScript.startsWith(whiteListedPrefix, Qt::CaseInsensitive)) {
+                    if (entityScriptURL.host().compare(whiteListedPrefix, Qt::CaseInsensitive) == 0) {
                         passedWhiteList = true;
                         break;
                     }