Mirrors/mealie
1
0
Fork 0
mirror of https://github.com/mealie-recipes/mealie.git synced 2026-02-08 08:53:10 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix: prevent XSS via javascript: URIs in recipe actions (#6885)

Browse Source
This commit is contained in:
Hayden
2026-01-16 12:19:27 -06:00
committed by GitHub
parent a72641b32e
commit 3e306638d0
2 changed files with 47 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
mealie/schema/household/group_recipe_action.py
View File

@@ -1,7 +1,7 @@
from enum import Enum
from typing import Any
from pydantic import UUID4, ConfigDict
from pydantic import UUID4, ConfigDict, field_validator
from mealie.schema._mealie import MealieModel
from mealie.schema.response.pagination import PaginationBase
@@ -22,6 +22,14 @@ class CreateGroupRecipeAction(MealieModel):
model_config = ConfigDict(use_enum_values=True)
@field_validator("url")
def validate_url_scheme(url: str) -> str:
"""Validate that the URL uses a safe scheme to prevent XSS via javascript: URIs."""
url_lower = url.lower().strip()
if not (url_lower.startswith("http://") or url_lower.startswith("https://")):
raise ValueError("URL must use http or https scheme")
return url
class SaveGroupRecipeAction(CreateGroupRecipeAction):
group_id: UUID4