supabase
Chore: Add Validation to Account Name and Organization Name Text Fields to Prevent Malicious Input
What is the current behavior?
Currently, the account name and organization name text fields lack validation, allowing any characters to be used. This vulnerability can be exploited for malicious purposes. For example, a malicious link can be saved in these text boxes. When users receive an invitation to join a New Relic account, these names render as valid links in email clients. Since the email is from a trusted domain like New Relic, users may click on these links, which could lead to harmful sites.
Solution:
Added a regular expression validation to the relevant fields.
Testing:
- Manually tested the account First name / Last name and the Organization name text fields to ensure that only valid characters are accepted.
The latest updates on your projects. Learn more about Vercel for Git ↗︎
| Name | Status | Preview | Comments | Updated (UTC) |
|---|---|---|---|---|
| studio-staging | ✅ Ready (Inspect) | Visit Preview | 💬 Add feedback | May 17, 2024 0:35am |
5 Ignored Deployments
| Name | Status | Preview | Comments | Updated (UTC) |
|---|---|---|---|---|
| database-new | ⬜️ Ignored (Inspect) | May 17, 2024 0:35am | ||
| docs | ⬜️ Ignored (Inspect) | May 17, 2024 0:35am | ||
| studio | ⬜️ Ignored (Inspect) | May 17, 2024 0:35am | ||
| studio-self-hosted | ⬜️ Ignored (Inspect) | May 17, 2024 0:35am | ||
| zone-www-dot-com | ⬜️ Ignored (Inspect) | May 17, 2024 0:35am |
![vercel[bot] avatar](https://avatars.githubusercontent.com/in/8329?v=4 "Published by a pub.dev verified publisher"){kind=small}
No changes detected in supabase directory.
This pull request has been ignored for the connected project xguihxuzqibwxjnimxev due to its connection settings.
Go to Project Integrations Settings ↗︎ in order to change this behavior.
Branching Preview Branches by Supabase. Learn more about Supabase for Git ↗︎.
![supabase[bot] avatar](https://avatars.githubusercontent.com/in/330661?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hmm I would expect a URL to be a valid organization name, to be fair. I should be able to name my org company.io if I want to... would it be better to escape somehow in the HTML template instead to prevent email client auto-linking?
