Merge pull request #651 from aswin-s/fix/issue-34324

fix: prevent matching of urls nested inside tags
Expensify · Feb 19, 2024 · 83ae619 · 83ae619
2 parents 17e8f75 + 07cf638
commit 83ae619
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/__tests__/URL-test.js b/__tests__/URL-test.js
@@ -19,6 +19,12 @@ describe('Strict URL validation', () => {
             expect(regexToTest.test('https://google.com:65536')).toBeFalsy();
             expect(regexToTest.test('smtp://google.com')).toBeFalsy();
         });
+
+        it('should not match urls inside tags', () => {
+            const regexToTest = new RegExp(`^${URL_REGEX_WITH_REQUIRED_PROTOCOL}$`, 'i');
+            expect(regexToTest.test('<code>http://google.com/</code>')).toBeFalsy();
+            expect(regexToTest.test('<pre>http://google.com/</pre>')).toBeFalsy();
+        });
     });
 
     describe('Optional protocol for URL', () => {

diff --git a/lib/Url.js b/lib/Url.js
@@ -2,7 +2,8 @@ import TLD_REGEX from './tlds';
 
 const ALLOWED_PORTS = '([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])';
 const URL_PROTOCOL_REGEX = '((ht|f)tps?:\\/\\/)';
-const URL_WEBSITE_REGEX = `${URL_PROTOCOL_REGEX}?((?:www\\.)?[a-z0-9](?:[-a-z0-9]*[a-z0-9])?\\.)+(?:${TLD_REGEX})(?:\\:${ALLOWED_PORTS}|\\b|(?=_))(?!@(?:[a-z\\d-]+\\.)+[a-z]{2,})`;
+const URL_WEBSITE_REGEX = `${URL_PROTOCOL_REGEX}?((?:www\\.)?[a-z0-9](?=(?<label>[-a-z0-9]*[a-z0-9]))\\k<label>?\\.)+\
+(?:${TLD_REGEX})(?:\\:${ALLOWED_PORTS}|\\b|(?=_))(?!@(?:[a-z\\d-]+\\.)+[a-z]{2,})`;
 const addEscapedChar = reg => `(?:${reg}|&(?:amp|#x27);)`;
 const URL_PATH_REGEX = `(?:${addEscapedChar('[.,=(+$!*]')}?\\/${addEscapedChar('[-\\w$@.+!*:(),=%~]')}*${addEscapedChar('[-\\w~@:%)]')}|\\/)*`;
 const URL_PARAM_REGEX = `(?:\\?${addEscapedChar('[-\\w$@.+!*()\\/,=%{}:;\\[\\]\\|_|~]')}*)?`;