From cbfbca063ec164fb8cbb9cf5a35fd0d52b402a93 Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Thu, 16 Apr 2026 13:28:48 -0500 Subject: [PATCH] Validate theme font and background URLs at the schema layer `ThemeFontSchema.url` and `ThemeBackgroundSchema.url` previously accepted any string, relying entirely on downstream `sanitizeUrl()` calls for protocol enforcement. Tightening the schema to `z.url()` rejects obviously malformed inputs up front and matches the approach already used for the relay list (`BlossomServersEventSchema`). `sanitizeUrl()` remains the authoritative guard for `https:` enforcement at render time. --- src/lib/schemas.ts | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/lib/schemas.ts b/src/lib/schemas.ts index 1ecaf266..e9f7c87f 100644 --- a/src/lib/schemas.ts +++ b/src/lib/schemas.ts @@ -64,12 +64,15 @@ export const ThemeColorsCompatSchema = z.union([ /** Zod schema for ThemeFont */ export const ThemeFontSchema = z.object({ family: z.string(), - url: z.string().optional(), + // Reject non-URL strings at the schema layer. Downstream consumers still + // run the value through \`sanitizeUrl()\` to enforce \`https:\` and strip + // \`javascript:\`/\`data:\` URIs before use — this is defense-in-depth. + url: z.url().optional(), }); /** Zod schema for ThemeBackground */ export const ThemeBackgroundSchema = z.object({ - url: z.string(), + url: z.url(), mode: z.enum(['cover', 'tile']).optional(), dimensions: z.string().optional(), mimeType: z.string().optional(),