Skip to content

Potential fix for code scanning alert no. 43: Incomplete URL scheme check #734

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
alienx5499 merged 1 commit into from
Jan 26, 2026
Merged

Potential fix for code scanning alert no. 43: Incomplete URL scheme check #734

alienx5499 merged 1 commit into from
Jan 26, 2026

Conversation

@alienx5499
Copy link
Owner

@alienx5499 alienx5499 commented Jan 26, 2026

Potential fix for https://github.com/alienx5499/SortVision/security/code-scanning/43

In general, the fix is to treat data: and vbscript: schemes the same way as javascript: when validating or filtering URLs that may come from untrusted or semi-untrusted sources. Any logic that excludes javascript: URLs from further processing should also exclude data: and vbscript: URLs.

Concretely in SortVision/tests/quality-assurance.mjs, modify the extractInternalPathsFromHtml function so that the scheme check on line 140:

if (href.startsWith('javascript:')) continue;

is extended to also skip data: and vbscript: links. To minimize behavioral changes and keep the intent clear, we can simply expand this if to include additional startsWith checks:

if (
  href.startsWith('javascript:') ||
  href.startsWith('data:') ||
  href.startsWith('vbscript:')
) continue;

This keeps the rest of the function intact and avoids altering any other logic or imports. No new helpers or imports are required; the change is local to this function and just broadens the set of schemes treated as non-navigational/executable.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@alienx5499 @github-advanced-security
Potential fix for code scanning alert no. 43: Incomplete URL scheme c…
9c184a6 
…heck

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@vercel
Copy link

vercel bot commented Jan 26, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
sortvision Ready Ready Preview, Comment Jan 26, 2026 3:40am

@alienx5499 alienx5499 marked this pull request as ready for review January 26, 2026 03:40
Copilot AI review requested due to automatic review settings January 26, 2026 03:40
Copilot AI reviewed Jan 26, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a security vulnerability (code scanning alert #43) by extending URL scheme validation in the quality assurance test suite to filter out potentially dangerous data: and vbscript: URL schemes alongside the existing javascript: scheme check.

Changes:

  • Extended the URL scheme filtering in extractInternalPathsFromHtml to reject data: and vbscript: schemes in addition to javascript: schemes

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@alienx5499 alienx5499 merged commit f6264fb into main Jan 26, 2026
21 checks passed
@alienx5499 alienx5499 deleted the alert-autofix-43 branch January 26, 2026 03:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alienx5499