From 2890d55e39dce0acf66adc18da50458a880d30db Mon Sep 17 00:00:00 2001 From: xiaoxustudio Date: Sat, 20 Jun 2026 23:27:51 +0800 Subject: [PATCH 1/2] fix: validate scene file extension --- packages/webgal/src/Core/controller/scene/sceneFetcher.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/packages/webgal/src/Core/controller/scene/sceneFetcher.ts b/packages/webgal/src/Core/controller/scene/sceneFetcher.ts index c66c04cf1..78720c6f5 100644 --- a/packages/webgal/src/Core/controller/scene/sceneFetcher.ts +++ b/packages/webgal/src/Core/controller/scene/sceneFetcher.ts @@ -6,6 +6,10 @@ import axios from 'axios'; */ export const sceneFetcher = (sceneUrl: string) => { return new Promise((resolve, reject) => { + if (!sceneUrl.endsWith('.txt')) { + reject('Scene file must be a txt file'); + return; + } axios .get(sceneUrl) .then((response) => { From 86d292ae27f043ce9adb85c13bc178dbb9736618 Mon Sep 17 00:00:00 2001 From: Mahiru Date: Sat, 4 Jul 2026 10:53:41 +0800 Subject: [PATCH 2/2] fix: validate parsed scene url path --- packages/webgal/src/Core/controller/scene/sceneFetcher.ts | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/packages/webgal/src/Core/controller/scene/sceneFetcher.ts b/packages/webgal/src/Core/controller/scene/sceneFetcher.ts index 78720c6f5..9f6102c84 100644 --- a/packages/webgal/src/Core/controller/scene/sceneFetcher.ts +++ b/packages/webgal/src/Core/controller/scene/sceneFetcher.ts @@ -6,7 +6,13 @@ import axios from 'axios'; */ export const sceneFetcher = (sceneUrl: string) => { return new Promise((resolve, reject) => { - if (!sceneUrl.endsWith('.txt')) { + let scenePath = ''; + try { + scenePath = sceneUrl ? new URL(sceneUrl, window.location.href).pathname : ''; + } catch { + scenePath = ''; + } + if (!scenePath.endsWith('.txt')) { reject('Scene file must be a txt file'); return; }