From 7bdb9524adafb80a78548e9231a9fca3248dc161 Mon Sep 17 00:00:00 2001
From: adrien <adrien@malingrey.fr>
Date: Tue, 10 Mar 2026 03:23:30 +0100
Subject: [PATCH] sanitize input

---
 js/interface.js | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/js/interface.js b/js/interface.js
index 8cb6f0f..72cc08c 100644
--- a/js/interface.js
+++ b/js/interface.js
@@ -76,11 +76,14 @@ class Settings {
                     placeholder: "URL de l'image",
                     tags: true,
                     createTag: function (params) {
-                        return {
-                            id:  $.fn.select2.defaults.defaults.escapeMarkup(params.term),
-                            text: 'Ajouté manuellement',
-                            newTag: true,
-                        };
+                        const url = encodeURI(params.term);
+                        if (/^(https?:\/\/.*\.(?:png|jpg|jpeg|gif|bmp|webp|svg))$/i.test(url)) {
+                            return {
+                                id: url,
+                                text: 'Source externe',
+                                newTag: true,
+                            };
+                        }
                     },
                 });
                 if (localStorage['skinURL']) {
@@ -91,8 +94,7 @@ class Settings {
                         $('#skinURLSelect').val(localStorage['skinURL']).trigger('change');
                     } else {
                         var option = new Option(
-                            localStorage['skinURL'],
-                            'Ajouté manuellement',
+                            'Source externe',
                             localStorage['skinURL'],
                             true,
                             true,