From e2d30e708ec433e40d3175280220ed2ab19f4318 Mon Sep 17 00:00:00 2001
From: zeppi <jessopb@gmail.com>
Date: Fri, 19 Feb 2021 09:30:28 -0500
Subject: [PATCH] decode uri before test /$/

---
 web/middleware/iframe-destroyer.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/web/middleware/iframe-destroyer.js b/web/middleware/iframe-destroyer.js
index 1737480f3..13d6a7b2c 100644
--- a/web/middleware/iframe-destroyer.js
+++ b/web/middleware/iframe-destroyer.js
@@ -4,8 +4,9 @@ async function iframeDestroyerMiddleware(ctx, next) {
   const {
     request: { path },
   } = ctx;
+  const decodedPath = decodeURIComponent(path);
 
-  if (!path.startsWith(`/$/${PAGES.EMBED}`)) {
+  if (!decodedPath.startsWith(`/$/${PAGES.EMBED}`)) {
     ctx.set('X-Frame-Options', 'DENY');
   }