fix: code review findings — URL validation hardening, error sanitization, screenshot parse error

DeliciousBuding · DeliciousBuding · commit 23fb954c8bc5 · 2026-05-20T08:32:51.000+08:00
diff --git a/internal/client/browser.go b/internal/client/browser.go
@@ -92,10 +92,10 @@ func (c *Client) Navigate(tabID, url string) error {
 	return err
 }
 
-var blockedURLSchemes = []string{"file:", "javascript:", "data:", "vbscript:"}
+var blockedURLSchemes = []string{"file:", "javascript:", "data:", "vbscript:", "about:", "chrome:", "edge:"}
 
 func validateURL(rawURL string) error {
-	lower := strings.ToLower(rawURL)
+	lower := strings.ToLower(strings.TrimSpace(rawURL))
 	for _, scheme := range blockedURLSchemes {
 		if strings.HasPrefix(lower, scheme) {
 			return fmt.Errorf("blocked URL scheme %q", scheme)
@@ -333,7 +333,7 @@ func (c *Client) Screenshot(tabID string, fullPage bool) (string, error) {
 		Data string `json:"data"`
 	}
 	if err := json.Unmarshal(raw, &result); err != nil {
-		return string(raw), nil
+		return "", fmt.Errorf("parse screenshot response: %w", err)
 	}
 	return result.Data, nil
 }
diff --git a/internal/client/client.go b/internal/client/client.go
@@ -209,7 +209,7 @@ func (c *Client) SendRequest(method string, params map[string]interface{}) (json
 	select {
 	case resp := <-ch:
 		if resp.Error != nil {
-			return nil, fmt.Errorf("rpc error in %s: %s", method, resp.Error.Message)
+			return nil, fmt.Errorf("rpc error in %s: %s", method, resp.Error.Error())
 		}
 		return resp.Result, nil
 	case <-c.ctx.Done():

Original file line number	Diff line number	Diff line change
`@@ -92,10 +92,10 @@ func (c *Client) Navigate(tabID, url string) error {`
`92`	`92`	`return err`
`93`	`93`	`}`
`94`	`94`
`95`		`-var blockedURLSchemes = []string{"file:", "javascript:", "data:", "vbscript:"}`
	`95`	`+var blockedURLSchemes = []string{"file:", "javascript:", "data:", "vbscript:", "about:", "chrome:", "edge:"}`
`96`	`96`
`97`	`97`	`func validateURL(rawURL string) error {`
`98`		`- lower := strings.ToLower(rawURL)`
	`98`	`+ lower := strings.ToLower(strings.TrimSpace(rawURL))`
`99`	`99`	`for _, scheme := range blockedURLSchemes {`
`100`	`100`	`if strings.HasPrefix(lower, scheme) {`
`101`	`101`	`return fmt.Errorf("blocked URL scheme %q", scheme)`
`@@ -333,7 +333,7 @@ func (c *Client) Screenshot(tabID string, fullPage bool) (string, error) {`
`333`	`333`	Data string `json:"data"`
`334`	`334`	`}`
`335`	`335`	`if err := json.Unmarshal(raw, &result); err != nil {`
`336`		`- return string(raw), nil`
	`336`	`+ return "", fmt.Errorf("parse screenshot response: %w", err)`
`337`	`337`	`}`
`338`	`338`	`return result.Data, nil`
`339`	`339`	`}`
Original file line number	Diff line number	Diff line change
`@@ -209,7 +209,7 @@ func (c *Client) SendRequest(method string, params map[string]interface{}) (json`
`209`	`209`	`select {`
`210`	`210`	`case resp := <-ch:`
`211`	`211`	`if resp.Error != nil {`
`212`		`- return nil, fmt.Errorf("rpc error in %s: %s", method, resp.Error.Message)`
	`212`	`+ return nil, fmt.Errorf("rpc error in %s: %s", method, resp.Error.Error())`
`213`	`213`	`}`
`214`	`214`	`return resp.Result, nil`
`215`	`215`	`case <-c.ctx.Done():`