From 23fa42bda5d5c22cb2060383cc93bf263bda2548 Mon Sep 17 00:00:00 2001 From: Tarrence van As Date: Mon, 3 Nov 2025 10:51:25 -0600 Subject: [PATCH] Potential fix for code scanning alert no. 155: Client-side cross-site scripting Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- packages/keychain/src/utils/url-validator.ts | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/packages/keychain/src/utils/url-validator.ts b/packages/keychain/src/utils/url-validator.ts index 4a932cdae4..0353c647b0 100644 --- a/packages/keychain/src/utils/url-validator.ts +++ b/packages/keychain/src/utils/url-validator.ts @@ -11,6 +11,7 @@ export function validateRedirectUrl(redirectUrl: string): { isValid: boolean; error?: string; + validatedUrl?: string; } { // Check for empty or undefined if (!redirectUrl || redirectUrl.trim() === "") { @@ -66,7 +67,7 @@ export function validateRedirectUrl(redirectUrl: string): { } // URL is safe to redirect to - return { isValid: true }; + return { isValid: true, validatedUrl: url.href }; } /** @@ -88,6 +89,7 @@ export function safeRedirect(redirectUrl: string): boolean { } // Safe to redirect - window.location.href = redirectUrl; + // Use the canonical, validated URL instead of the raw input + window.location.href = validation.validatedUrl!; return true; }