Description: Improve script url validation
Author: Robert Newson <rnewson@apache.org>
Bug-Debian: http://bugs.debian.org/698439
Last-Update: 2012-12-18

---

diff --git a/share/www/script/couch_test_runner.js b/share/www/script/couch_test_runner.js
index c1e7a72..60ba11c 100644
--- a/share/www/script/couch_test_runner.js
+++ b/share/www/script/couch_test_runner.js
@@ -15,11 +15,9 @@
 
 function loadScript(url) {
   // disallow loading remote URLs
-  if((url.substr(0, 7) == "http://")
-    || (url.substr(0, 2) == "//")
-    || (url.substr(0, 5) == "data:")
-    || (url.substr(0, 11) == "javascript:")) {
-        throw "Not loading remote test scripts";
+  var re = /^[a-z0-9_]+(\/[a-z0-9_]+)*\.js#?$/;
+  if (!re.test(url)) {
+      throw "Not loading remote test scripts";
   }
   if (typeof document != "undefined") document.write('<script src="'+url+'"></script>');
 };