From 4c1cf463b85a1d516a5891310fdbfd18f9d48f3c Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@libreserver.org>
Date: Wed, 26 Oct 2022 14:56:13 +0100
Subject: [PATCH] Forbid any exec commands

---
 utils.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils.py b/utils.py
index 0873f89ea..c1d6567fb 100644
--- a/utils.py
+++ b/utils.py
@@ -1101,7 +1101,7 @@ def dangerous_markup(content: str, allow_local_network_access: bool) -> bool:
     """
     separators = [['<', '>'], ['&lt;', '&gt;']]
     invalid_strings = [
-        'analytics', 'ampproject', 'googleapis'
+        'analytics', 'ampproject', 'googleapis', '_exec('
     ]
     if _is_dangerous_string_simple(content, allow_local_network_access,
                                    separators, invalid_strings):