search

soegaard / racket-stories

Racket Stories is a "submit and vote" web site. This repo serves as an example of a small "in production" web-site written in Racket.
MIT License
42 stars 6 forks source link

Fix URL validation regex #13

Closed seisvelas closed 4 years ago

seisvelas commented 4 years ago

The current regex for validating a submission link only checks whether the URL contains http[s]?://.+ rather than whether the URL begins with http[s]?://.+. To correct that, we simply add a caret character at the beginning of the regex like so:

^http[s]?://.+

Which is exactly what I've done in this Pull Request.

There are other factors that would prevent an actual XSS injection, but these can also be worked around. For a more thorough exploration of the problem, see Issue https://github.com/soegaard/racket-stories/issues/14

soegaard commented 4 years ago

Thanks for reporting this - and for for contributing a fix.