XSS fix

- Bug:
xss vector in the "Target URL *" field on `/requests`.

- Fix:
added a regex validator on submition for http and https only for leaks.ts and requests.ts

convex/leaks.ts

@@ -236,6 +236,13 @@ export const insertLeak = mutation({
       };
     }
 
+    if (args.url && !/^https?:\/\/.+/i.test(args.url)) {
+      return {
+        success: false as const,
+        error: "Invalid URL.",
+      };
+    }
+
     // Validate required fields
     if (!args.targetName || !args.provider || !args.leakText) {
       return {

convex/requests.ts

@@ -3,6 +3,13 @@ import { getAuthUserId } from "@convex-dev/auth/server";
 import { query, mutation } from "./_generated/server";
 import { Id } from "./_generated/dataModel";
 
+// url validation helper
+function isValidUrl(url: string): boolean {
+  return /^https?:\/\/.+/i.test(url); // only http and https
+}
+
+
+
 /**
  * Get all open (non-closed) requests from the database.
  * Returns requests with submitter names populated.
@@ -104,6 +111,7 @@ export const getUserOpenRequests = query({
   },
 });
 
+
 /**
  * Create a new request for a leak target.
  * Validates that:
@@ -147,6 +155,13 @@ export const createRequest = mutation({
       };
     }
 
+    if (!isValidUrl(args.targetUrl)) {
+      return {
+        success: false as const,
+        error: "The provided target URL is not valid. Please provide a valid URL starting with http:// or https://",
+      };
+    }
+
     // Check if a request with the same target name already exists (case-insensitive)
     // Query ALL requests, not just open ones
     const allRequests = await ctx.db.query("requests").collect();