Skip to content

Add explanatory comment for protocol-relative URL check in sanitizer#13

Merged
JosunLP merged 3 commits intodevelopmentfrom
copilot/sub-pr-12
Jan 24, 2026
Merged

Add explanatory comment for protocol-relative URL check in sanitizer#13
JosunLP merged 3 commits intodevelopmentfrom
copilot/sub-pr-12

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Jan 24, 2026
edited
Loading

Addresses feedback on PR #12 regarding the protocol-relative URL early return in isExternalUrl().

Changes

  • Added comment explaining why the // check at line 366 is critical for correctness, not optimization
  • Clarifies that protocol-relative URLs must be handled before reaching the URL constructor, where they could be incorrectly resolved with window.location.href as base
// Protocol-relative URLs (//example.com) are always external
// CRITICAL: This check must happen before the URL constructor call below.
// Protocol-relative URLs with window.location.href as base would be
// incorrectly resolved (e.g., "//evil.com" + "http://mysite.com" could
// resolve unexpectedly). Treating them as external upfront ensures
// correct security classification and prevents potential URL parsing issues.
if (trimmedUrl.startsWith('//')) {
  return true;
}

This prevents future maintainers from inadvertently removing or relocating the check, which would introduce security classification bugs.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI mentioned this pull request Jan 24, 2026
Merged
@JosunLP
Add critical comment explaining protocol-relative URL check
4eca6fd 
Co-authored-by: JosunLP <20913954+JosunLP@users.noreply.github.com>
Copilot AI changed the title [WIP] Address feedback on Version 1.1.2 pull request Add explanatory comment for protocol-relative URL check in sanitizer Jan 24, 2026
Copilot AI requested a review from JosunLP January 24, 2026 01:28
@JosunLP JosunLP marked this pull request as ready for review January 24, 2026 01:34
Copilot AI review requested due to automatic review settings January 24, 2026 01:34
Copilot AI reviewed Jan 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refines the documentation around the URL sanitization logic by clarifying why the protocol-relative // check in isExternalUrl() is critical to security correctness.

Changes:

  • Added an explicit comment explaining the need for an early return on protocol-relative URLs.
  • Documented the security rationale to discourage future refactors that might move or remove the // guard.

@JosunLP
Update src/security/sanitize.ts
be22fda 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@JosunLP JosunLP merged commit 40b4e0f into development Jan 24, 2026
5 checks passed
@JosunLP JosunLP deleted the copilot/sub-pr-12 branch January 24, 2026 01:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@JosunLP JosunLP Awaiting requested review from JosunLP

Assignees

@JosunLP JosunLP

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JosunLP