fix(validators): reject HTML metacharacters and whitespace in websiteUrl#1249
Merged
fix(validators): reject HTML metacharacters and whitespace in websiteUrl#1249
Conversation
`validateWebsiteURL` only checked that the URL parses, is absolute, and uses the `https` scheme. It accepted literal `"`, `'`, `<`, `>`, and ASCII space — none of which are valid in a URI per RFC 3986, and all of which broke rendering when the value flowed into the catalogue UI's `<a href="...">` template. Add a `strings.IndexAny` check after the scheme check that rejects any of these characters with a clear `website-url-invalid-characters` issue that points at the offending byte position. Control characters (`\t`, `\n`, `\r`) are also covered: they're caught one step earlier by Go's `url.Parse`, but the bytes are listed in the rejection set so the behaviour is explicit and survives any future relaxation of `url.Parse`. Already-percent-encoded URLs (e.g. `?q=hello%20world`) continue to validate cleanly. Adds table-driven cases for `"`, `'`, `<>`, space, newline, and a positive case for percent-encoded special characters. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
validateWebsiteURLonly checked that the URL parses, is absolute, anduses the
httpsscheme. It accepted literal",',<,>, andASCII space — none of which are valid in a URI per RFC 3986, and all of
which broke rendering when the value flowed into the catalogue UI's
<a href="...">template.Add a
strings.IndexAnycheck after the scheme check that rejects anyof these characters with a clear
website-url-invalid-charactersissuethat points at the offending byte position. Control characters (
\t,\n,\r) are also covered: they're caught one step earlier by Go'surl.Parse, but the bytes are listed in the rejection set so thebehaviour is explicit and survives any future relaxation of
url.Parse.Already-percent-encoded URLs (e.g.
?q=hello%20world) continue tovalidate cleanly.
Adds table-driven cases for
",',<>, space, newline, and apositive case for percent-encoded special characters.
Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com