fix: allow & in URLs for query parameters in OpenURL()

Remove & from rejected shell metacharacters since URLs legitimately
use & for query parameters (e.g., ?key=val&key2=val2). The remaining
checks still prevent command injection via other metacharacters.
This commit is contained in:
Srikanth Patchava 2026-04-25 04:51:15 -07:00
parent 872dbb7264
commit 674e4c863b

View File

@ -1192,9 +1192,9 @@ void OpenURL(const char *url)
{
// Security check to avoid malicious code injection
if (strchr(url, '\'') != NULL || strchr(url, '"') != NULL ||
strchr(url, '&') != NULL || strchr(url, '|') != NULL ||
strchr(url, ';') != NULL || strchr(url, '`') != NULL ||
strchr(url, '$') != NULL || strchr(url, '\\') != NULL)
strchr(url, '|') != NULL || strchr(url, ';') != NULL ||
strchr(url, '`') != NULL || strchr(url, '$') != NULL ||
strchr(url, '\\') != NULL)
{
TRACELOG(LOG_WARNING, "SYSTEM: Provided URL contains potentially dangerous characters");
}