The current regex for validating a submission link only checks whether the URL containshttp[s]?://.+ rather than whether the URL begins with http[s]?://.+. To correct that, we simply add a caret character at the beginning of the regex like so:
^http[s]?://.+
Which is exactly what I've done in this Pull Request.
There are other factors that would prevent an actual XSS injection, but these can also be worked around. For a more thorough exploration of the problem, see Issue https://github.com/soegaard/racket-stories/issues/14
The current regex for validating a submission link only checks whether the URL contains
http[s]?://.+
rather than whether the URL begins withhttp[s]?://.+
. To correct that, we simply add a caret character at the beginning of the regex like so:^http[s]?://.+
Which is exactly what I've done in this Pull Request.
There are other factors that would prevent an actual XSS injection, but these can also be worked around. For a more thorough exploration of the problem, see Issue https://github.com/soegaard/racket-stories/issues/14