From 0114d8a43161ed8bf90e988d9125af4ae6e61165 Mon Sep 17 00:00:00 2001
From: Bas Alberts <bas@anti.computer>
Date: Thu, 22 Dec 2022 22:43:23 -0500
Subject: further harden custom emoji regex filtering

Prevent empty string shortcodes from creating dotfiles inside the
custom emoji download dir to prevent e.g. ".envrc" and other such
contextual dotfiles from being created in the legitimate download
location.
---
 lisp/mastodon-toot.el | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lisp/mastodon-toot.el b/lisp/mastodon-toot.el
index 06c49a3..d1e8cbe 100644
--- a/lisp/mastodon-toot.el
+++ b/lisp/mastodon-toot.el
@@ -614,8 +614,8 @@ To use the downloaded emoji, run `mastodon-toot--enable-custom-emoji'."
                     (shortcode (alist-get 'shortcode x)))
                 ;; skip anything that contains unexpected characters
                 (when (and url shortcode
-                           (string-match-p "^[a-zA-Z0-9-_]*$" shortcode)
-                           (string-match-p "^[a-zA-Z]*$" (file-name-extension url)))
+                           (string-match-p "^[a-zA-Z0-9-_]+$" shortcode)
+                           (string-match-p "^[a-zA-Z]+$" (file-name-extension url)))
                   (url-copy-file url
                                  (concat
                                   mastodon-custom-emoji-dir
-- 
cgit v1.2.3