fix(richtext-lexical): urls being wrongly encoded by incomplete URL validation (#14557)

paulpopus · web-flow · commit 2cb0c593344e · 2025-11-10T21:07:12.000Z
Fixes #14499 The issue was caused because our `validateUrl` function failed to catch URLs with query params as valid, added test suite for validateUrl as a function as well
diff --git a/packages/richtext-lexical/src/lexical/utils/url.spec.ts b/packages/richtext-lexical/src/lexical/utils/url.spec.ts
@@ -1,8 +1,8 @@
 import { jest } from '@jest/globals'
-import { absoluteRegExp, relativeOrAnchorRegExp } from './url.js'
+import { absoluteRegExp, relativeOrAnchorRegExp, validateUrl } from './url.js'
 
 describe('Lexical URL Regex Matchers', () => {
-  describe('relative URLs', () => {
+  describe('relativeOrAnchorRegExp', () => {
     it('validation for links it should match', async () => {
       const shouldMatch = [
         '/path/to/resource',
@@ -13,6 +13,10 @@ describe('Lexical URL Regex Matchers', () => {
         '#anchor',
         '#section-title',
         '/path#fragment',
+        '/page?id=123',
+        '/page?id=123#section',
+        '/search?q=test',
+        '/?global=true',
       ]
 
       shouldMatch.forEach((testCase) => {
@@ -40,7 +44,7 @@ describe('Lexical URL Regex Matchers', () => {
     })
   })
 
-  describe('absolute URLs', () => {
+  describe('absoluteRegExp', () => {
     it('validation for links it should match', async () => {
       const shouldMatch = [
         'http://example.com',
@@ -85,4 +89,158 @@ describe('Lexical URL Regex Matchers', () => {
       })
     })
   })
+
+  describe('validateUrl', () => {
+    describe('absolute URLs', () => {
+      it('should validate http and https URLs', () => {
+        const validUrls = [
+          'http://example.com',
+          'https://example.com',
+          'http://www.example.com',
+          'https://sub.example.com/path/file',
+          'http://example.com/resource',
+          'https://example.com/resource?key=value',
+          'http://example.com/resource#anchor',
+        ]
+
+        validUrls.forEach((url) => {
+          expect(validateUrl(url)).toBe(true)
+        })
+      })
+
+      it('should validate other protocol URLs', () => {
+        const validUrls = ['ftp://files.example.com', 'mailto:email@example.com', 'tel:+1234567890']
+
+        validUrls.forEach((url) => {
+          expect(validateUrl(url)).toBe(true)
+        })
+      })
+
+      it('should validate www URLs without protocol', () => {
+        const validUrls = [
+          'www.example.com',
+          'www.example.com/resource',
+          'www.example.com/resource?query=1',
+          'www.example.com#fragment',
+        ]
+
+        validUrls.forEach((url) => {
+          expect(validateUrl(url)).toBe(true)
+        })
+      })
+    })
+
+    describe('relative URLs', () => {
+      it('should validate relative paths', () => {
+        const validUrls = [
+          '/path/to/resource',
+          '/file-name.html',
+          '/',
+          '/dir/',
+          '/path.with.dots/',
+          '/path#fragment',
+        ]
+
+        validUrls.forEach((url) => {
+          expect(validateUrl(url)).toBe(true)
+        })
+      })
+    })
+
+    describe('anchor links', () => {
+      it('should validate anchor links', () => {
+        const validUrls = ['#anchor', '#section-title']
+
+        validUrls.forEach((url) => {
+          expect(validateUrl(url)).toBe(true)
+        })
+      })
+    })
+
+    describe('with query params', () => {
+      it('should validate relative URLs with query parameters', () => {
+        const validUrls = [
+          '/page?id=123',
+          '/search?q=test',
+          '/products?category=electronics&sort=price',
+          '/path?key=value&another=param',
+          '/page?id=123&filter=active',
+          '/?global=true',
+        ]
+
+        validUrls.forEach((url) => {
+          expect(validateUrl(url)).toBe(true)
+        })
+      })
+
+      it('should validate absolute URLs with query parameters', () => {
+        const validUrls = [
+          'https://example.com?id=123',
+          'http://example.com/page?key=value',
+          'www.example.com?search=query',
+          'https://example.com/path?a=1&b=2&c=3',
+        ]
+
+        validUrls.forEach((url) => {
+          expect(validateUrl(url)).toBe(true)
+        })
+      })
+
+      it('should validate URLs with query parameters and anchors', () => {
+        const validUrls = [
+          '/page?id=123#section',
+          'https://example.com?key=value#anchor',
+          '/search?q=test#results',
+        ]
+
+        validUrls.forEach((url) => {
+          expect(validateUrl(url)).toBe(true)
+        })
+      })
+    })
+
+    describe('edge cases', () => {
+      it('should handle the default https:// case', () => {
+        expect(validateUrl('https://')).toBe(true)
+      })
+
+      it('should return false for empty or invalid URLs', () => {
+        const invalidUrls = [
+          '',
+          'not-a-url',
+          'example.com',
+          'relative/path',
+          'file.html',
+          'some#fragment',
+          'http://',
+          'http:/example.com',
+          'http//example.com',
+        ]
+
+        invalidUrls.forEach((url) => {
+          expect(validateUrl(url)).toBe(false)
+        })
+      })
+
+      it('should return false for URLs with spaces', () => {
+        const invalidUrls = [
+          '/path/with spaces',
+          'http://example.com/ spaces',
+          'https://example.com/path with spaces',
+        ]
+
+        invalidUrls.forEach((url) => {
+          expect(validateUrl(url)).toBe(false)
+        })
+      })
+
+      it('should return false for malformed URLs', () => {
+        const invalidUrls = ['://missing.scheme', 'ftp://example .com', 'http://example', '#', '/#']
+
+        invalidUrls.forEach((url) => {
+          expect(validateUrl(url)).toBe(false)
+        })
+      })
+    })
+  })
 })
diff --git a/packages/richtext-lexical/src/lexical/utils/url.ts b/packages/richtext-lexical/src/lexical/utils/url.ts
@@ -35,8 +35,10 @@ export const absoluteRegExp =
  * - /privacy-policy
  * - /privacy-policy#primary-terms
  * - #primary-terms
+ * - /page?id=123
+ * - /page?id=123#section
  *  */
-export const relativeOrAnchorRegExp = /^(?:\/[\w\-./]*(?:#\w[\w-]*)?|#[\w\-]+)$/
+export const relativeOrAnchorRegExp = /^(?:\/[\w\-./]*(?:\?[-;&=%\w]*)?(?:#[\w-]+)?|#[\w\-]+)$/
 
 /**
  * Prevents unreasonable URLs from being inserted into the editor.
@@ -55,11 +57,20 @@ export function validateUrlMinimal(url: string): boolean {
 export function validateUrl(url: string): boolean {
   // TODO Fix UI for link insertion; it should never default to an invalid URL such as https://.
   // Maybe show a dialog where they user can type the URL before inserting it.
-
   if (!url) {
     return false
   }
 
+  // Reject URLs with spaces
+  if (url.includes(' ')) {
+    return false
+  }
+
+  // Reject malformed protocol URLs (e.g., http:/example.com instead of http://example.com)
+  if (/^[a-z][a-z\d+.-]*:\/[^/]/i.test(url)) {
+    return false
+  }
+
   if (url === 'https://') {
     return true
   }
@@ -76,7 +87,13 @@ export function validateUrl(url: string): boolean {
 
   // While this doesn't allow URLs starting with www (which is why we use the regex above), it does properly handle tel: URLs
   try {
-    new URL(url)
+    const urlObj = new URL(url)
+    // For http/https/ftp protocols, require a proper domain with at least one dot (for TLD)
+    if (['ftp:', 'http:', 'https:'].includes(urlObj.protocol)) {
+      if (!urlObj.hostname.includes('.')) {
+        return false
+      }
+    }
     return true
   } catch {
     /* empty */
