Potential fix for code scanning alert no. 21: Incomplete URL substring sanitization

[Tanker187]

Potential fix for https://github.com/Tanker187/stagehand/security/code-scanning/21

In general, to fix incomplete URL substring sanitization, you must parse the URL into its structured components and validate the host/hostname instead of searching for substrings in the full URL. Then compare the parsed host against an explicit whitelist or exact expected value, and perform any path/content checks separately on appropriate components.

Here, instead of url.includes("trivago.com"), we should parse url using the standard URL class and verify that hostname is exactly www.trivago.com (or one of a small, explicit set of allowed hostnames). We can keep the existing path fragment check (url.includes("hotel-h10-tribeca-madrid")) since that’s matching a specific hotel slug in the path, not a host. Concretely, right after obtaining const url = page.url();, introduce const parsedUrl = new URL(url); and then change the condition to:

const parsedUrl = new URL(url);

if (
  parsedUrl.hostname === "www.trivago.com" &&
  url.includes("hotel-h10-tribeca-madrid")
) {
  …
}

This keeps existing functionality (we still check that we’re on trivago and on the right hotel page), but makes the host check precise and not vulnerable to arbitrary substrings. No extra imports are required because URL is available in modern Node/TypeScript environments; we also avoid modifying any other logic or returned values.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.