From e7cb111874357427916750d809b08cb4f784c0c9 Mon Sep 17 00:00:00 2001
From: Ben Hall <ben@benh.codes>
Date: Tue, 21 Jan 2025 21:42:00 +0000
Subject: [PATCH] fixed image url validation

Signed-off-by: Ben Hall <ben@benh.codes>
---
 app/http/endpoints/api/panel/validation.go | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/app/http/endpoints/api/panel/validation.go b/app/http/endpoints/api/panel/validation.go
index 56396f4..57e87e3 100644
--- a/app/http/endpoints/api/panel/validation.go
+++ b/app/http/endpoints/api/panel/validation.go
@@ -172,9 +172,7 @@ var urlRegex = regexp.MustCompile(`^https?://([-a-zA-Z0-9@:%._+~#=]{1,256})\.[a-
 func validateNullableUrl(url *string) validation.ValidationFunc {
 	return func() error {
 		if url != nil && (len(*url) > 255 || !urlRegex.MatchString(*url)) {
-			if *url != "%avatar_url%" {
-				return validation.NewInvalidInputError("Invalid URL")
-			}
+			return validation.NewInvalidInputError("Invalid URL")
 		}
 
 		return nil
@@ -361,6 +359,18 @@ func validateAccessControlList(ctx PanelValidationContext) validation.Validation
 
 func validateEmbed(e *types.CustomEmbed) error {
 	if e == nil || e.Title != nil || e.Description != nil || len(e.Fields) > 0 || e.ImageUrl != nil || e.ThumbnailUrl != nil {
+		if e.ImageUrl != nil && (len(*e.ImageUrl) > 255 || !urlRegex.MatchString(*e.ImageUrl)) {
+			if *e.ImageUrl != "%avatar_url%" {
+				return validation.NewInvalidInputError("Invalid URL")
+			}
+		}
+
+		if e.ThumbnailUrl != nil && (len(*e.ThumbnailUrl) > 255 || !urlRegex.MatchString(*e.ThumbnailUrl)) {
+			if *e.ThumbnailUrl != "%avatar_url%" {
+				return validation.NewInvalidInputError("Invalid URL")
+			}
+		}
+
 		return nil
 	}