From 674e4c863ba5fb8564d466ed303ae7ba39417ea3 Mon Sep 17 00:00:00 2001 From: Srikanth Patchava Date: Sat, 25 Apr 2026 04:51:15 -0700 Subject: [PATCH] fix: allow & in URLs for query parameters in OpenURL() Remove & from rejected shell metacharacters since URLs legitimately use & for query parameters (e.g., ?key=val&key2=val2). The remaining checks still prevent command injection via other metacharacters. --- src/platforms/rcore_desktop_glfw.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/platforms/rcore_desktop_glfw.c b/src/platforms/rcore_desktop_glfw.c index 70a820b3e..22d4b49cc 100644 --- a/src/platforms/rcore_desktop_glfw.c +++ b/src/platforms/rcore_desktop_glfw.c @@ -1192,9 +1192,9 @@ void OpenURL(const char *url) { // Security check to avoid malicious code injection if (strchr(url, '\'') != NULL || strchr(url, '"') != NULL || - strchr(url, '&') != NULL || strchr(url, '|') != NULL || - strchr(url, ';') != NULL || strchr(url, '`') != NULL || - strchr(url, '$') != NULL || strchr(url, '\\') != NULL) + strchr(url, '|') != NULL || strchr(url, ';') != NULL || + strchr(url, '`') != NULL || strchr(url, '$') != NULL || + strchr(url, '\\') != NULL) { TRACELOG(LOG_WARNING, "SYSTEM: Provided URL contains potentially dangerous characters"); }