Skip to content

Normalize Mastodon handle into profile URL and reject dangerous schemas.#1776

Merged
marcoroth merged 1 commit into
rubyevents:mainfrom
connorshea:fix/mastodon-link
Jun 7, 2026
Merged

Normalize Mastodon handle into profile URL and reject dangerous schemas.#1776
marcoroth merged 1 commit into
rubyevents:mainfrom
connorshea:fix/mastodon-link

Conversation

@connorshea

@connorshea connorshea commented Jun 7, 2026

Copy link
Copy Markdown
Contributor

Description

AI Disclosure: Changeset generated with Claude Code, reviewed and tested by me.

This isn't actually realistically abusable by an attacker right now because the link is target="_blank" which removes all ability to use the javascript: schema in modern browsers, but I figure it's best to be safe here just in case.

This normalizes the Mastodon URL on user profiles to prevent any URLs outside the normal http/https schema. It still allows the @username@mastodon.host format as well.

Screenshots

Previously I was able to set the value to a malicious javascript command, but it will not save that to the database anymore after this PR:

Screenshot 2026-06-07 at 3 27 28 PM

But normal usernames/URLs continue to work fine:

Screenshot 2026-06-07 at 3 28 46 PM

Testing Steps

  • Set a Mastodon username using a URL, ensure the user page renders and the link works.
  • Set a Mastodon username using the @name@host.com format, ensure the user page renders and the link works correctly.
  • Set a Mastodon username as javascript:alert(document.cookie), see that it gets reset to blank string.

References

N/A

…URI schemes.

This isn't actually abusable by a user right now because the link is `target="_blank"` which removes all ability to use the `javascript:` schema in modern browsers, but I figure it's best to be safe here just in case.

@marcoroth marcoroth left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the fix @connorshea!

Also good to know there wasn't really a way for this the be actually dangerous in production 🙌🏼

@marcoroth marcoroth changed the title fix: Normalize Mastodon handle into profile URL and reject dangerous schemas. Normalize Mastodon handle into profile URL and reject dangerous schemas. Jun 7, 2026
@marcoroth marcoroth merged commit 4f94e2e into rubyevents:main Jun 7, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants