check valid shortcode

package.json

@@ -2,7 +2,7 @@
   "devDependencies": {
     "prettier": "^3.0.3",
     "prettier-plugin-tailwindcss": "^0.5.6",
-    "tailwindcss": "^3.3.5"
+    "tailwindcss": "^3.4.1"
   },
   "scripts": {
     "postinstall": "tailwind -i tailwind.css -o static/tailwind-bundle.min.css --minify"

render_event.go

@@ -18,6 +18,15 @@ import (
 	"github.com/pelletier/go-toml"
 )
 
+func isValidShortcode(s string) bool {
+	for _, r := range s {
+		if !('a' <= r && r <= 'z' || 'A' <= r && r <= 'Z' || '0' <= r && r <= '9' || r == '_') {
+			return false
+		}
+	}
+	return true
+}
+
 func renderEvent(w http.ResponseWriter, r *http.Request) {
 	code := r.URL.Path[1:] // hopefully a nip19 code
 
@@ -349,8 +358,11 @@ func renderEvent(w http.ResponseWriter, r *http.Request) {
 
 		content := data.content
 		for _, tag := range data.event.Tags.GetAll([]string{"emoji"}) {
-			if len(tag) >= 3 {
-				content = strings.ReplaceAll(content, ":"+tag[1]+":", `<img class="emoji" src="`+tag[2]+`"/>`)
+			if len(tag) >= 3 && isValidShortcode(tag[1]) {
+				u, err := url.Parse(tag[2])
+				if err == nil {
+					content = strings.ReplaceAll(content, ":"+tag[1]+":", `<img class="emoji" src="`+u.String()+`"/>`)
+				}
 			}
 		}
 		component = noteTemplate(NotePageParams{