Escape rendered suggestion content and validate URLs

2026-02-05 16:51:05 +01:00
parent d88469724a
commit 1d28ea6568
4 changed files with 76 additions and 26 deletions
--- a/Endpoints/EndpointHelpers.cs
+++ b/Endpoints/EndpointHelpers.cs
@@ -164,6 +164,13 @@ internal static class EndpointHelpers
        return data[8..].StartsWith(brandBytes);
    }

+    public static bool IsValidHttpUrl(string? url)
+    {
+        if (string.IsNullOrWhiteSpace(url)) return true; // empty is allowed
+        if (!Uri.TryCreate(url, UriKind.Absolute, out var uri)) return false;
+        return uri.Scheme is "http" or "https";
+    }
+
    public static async Task<bool> IsAdmin(HttpContext ctx, AppDbContext db, IConfiguration config)
    {
        var player = await GetAuthenticatedPlayer(ctx, db);