vets-who-code-app icon indicating copy to clipboard operation
vets-who-code-app copied to clipboard
verified publisher icon Vets-Who-Code

Replace insecure URL validation regex with proper URL constructor validation

Open Copilot opened this issue 4 months ago • 2 comments

The prework link validation used a permissive regex /^https?:\/\/.+/ that could allow malicious URLs to pass validation.

Changes Made

  • Security: Replace regex pattern with isValidUrl() function that uses JavaScript URL constructor
  • Import: Add isValidUrl import from existing @utils/formValidations
  • Validation: Update prework link field to use validate property instead of pattern

Code Changes

// Before - insecure regex validation
pattern: {
    value: /^https?:\/\/.+/,
    message: "Please enter a valid URL (starting with http:// or https://)",
}

// After - secure URL constructor validation
validate: (value) => {
    if (!isValidUrl(value)) {
        return "Please enter a valid URL (starting with http:// or https://)";
    }
    return true;
}

The isValidUrl() function leverages the browser's native URL constructor for robust validation that prevents malformed and potentially malicious URLs while maintaining the same user experience.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot avatar Oct 29 '25 03:10 Copilot