`?project_url=` can be used on URLs with project IDs

[gradylink]

From my understanding, it doesn't even disable cloud variables, so this is a clear way to exploit projects with cloud variables. Someone could make a "hacked" version of the project, put it on a file sharing website like https://catbox.moe, then load the modified one with the original's project ID allowing them to modify cloud variables when they shouldn't be able to (and disrupting other people using the project.)

EDIT: here's an example url https://turbowarp.org/142?project_url=raw.githubusercontent.com/Its-Jakey/Linux-On-Scratch/main/rv32ima.sb3&size=640x400&turbo (not doing anything with cloud variables though), it uses the name from the original project ID though.

[GarboMuffin]

there's many easier ways to break cloud variables so we don't really consider that a security bug or anything like that