From 46685f45aa78410d592e30c0c8fbb30bc87a1901 Mon Sep 17 00:00:00 2001
From: jo <ljonas@riseup.net>
Date: Thu, 7 Oct 2021 19:04:01 +0200
Subject: [PATCH] Sanitize CORS value before insert

---
 airtime_mvc/application/models/Preference.php | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/airtime_mvc/application/models/Preference.php b/airtime_mvc/application/models/Preference.php
index c2f9fe4b3..0d164e7c8 100644
--- a/airtime_mvc/application/models/Preference.php
+++ b/airtime_mvc/application/models/Preference.php
@@ -1556,7 +1556,16 @@ class Application_Model_Preference
      * @param string $value
      * @return void
      */
-    public static function SetAllowedCorsUrls($value) {
+    public static function SetAllowedCorsUrls($value)
+    {
+        // Trim and strip trailing slash for each entry
+        $value = implode(PHP_EOL, array_map(
+            function ($v) {
+                return rtrim(trim($v), '/');
+            },
+            explode(PHP_EOL, $value)
+        ));
+
         self::setValue('allowed_cors_urls', $value);
     }