Skip to content

Commit 32f60da

Browse files
fix(lint): suppress no-control-regex on intentional C0 control char strip in sanitizeHref
1 parent efe30c8 commit 32f60da

1 file changed

Lines changed: 3 additions & 4 deletions

File tree

packages/react-bridge/src/utils/sanitizeHref.ts

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -39,10 +39,9 @@ const SAFE_PROTOCOLS = new Set(['https:', 'http:', 'mailto:', 'tel:']);
3939
export function sanitizeHref(href: string | undefined | null): string {
4040
if (!href) return '#';
4141

42-
// Strip null bytes and C0 control characters that prefix-bypass protocol checks.
43-
// Range \x00-\x1f covers NUL through US (C0), \x7f is DEL.
44-
// NOTE: do NOT use /[ -]/ here — that character class range (space 0x20 to
45-
// hyphen 0x2D) would silently strip hyphens from all URLs.
42+
// Strip null bytes and C0 control characters (\x00-\x1f) and DEL (\x7f)
43+
// that prefix-bypass protocol checks (e.g. \0javascript:).
44+
// eslint-disable-next-line no-control-regex
4645
const trimmed = href.replace(/[\x00-\x1f\x7f]/g, '').trim();
4746
if (!trimmed) return '#';
4847

0 commit comments

Comments
 (0)