From 6ff2984ef78fbcb03a20a238e1eb721d1854e6b2 Mon Sep 17 00:00:00 2001
From: Miodec <bartnikjack@gmail.com>
Date: Tue, 3 Aug 2021 16:08:15 +0100
Subject: [PATCH] security patch from live

---
 backend/handlers/validation.js | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/backend/handlers/validation.js b/backend/handlers/validation.js
index 71bc49d27..70eeb6dec 100644
--- a/backend/handlers/validation.js
+++ b/backend/handlers/validation.js
@@ -80,8 +80,16 @@ function validateConfig(config) {
     if (!isConfigKeyValid(key)) {
       throw new MonkeyError(500, `Invalid config: ${key} failed regex check`);
     }
-    if (key === "resultFilters") return;
-    if (key === "customBackground") return;
+    // if (key === "resultFilters") return;
+    // if (key === "customBackground") return;
+    if (key === "customBackground" || key === "customLayoutfluid") {
+      if (/[<>]/.test(config[key])) {
+        throw new MonkeyError(
+          500,
+          `Invalid config: ${key}:${config.key} failed regex check`
+        );
+      }
+    }
     let val = config[key];
     if (Array.isArray(val)) {
       val.forEach((valarr) => {