From f601cff5c5222d6f3a7c06ecbafb3d07ad63997f Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Wed, 28 May 2025 13:31:40 -0400
Subject: [PATCH] check input URL scheme before continuing

---
 packages/backend/src/server/web/UrlPreviewService.ts | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/packages/backend/src/server/web/UrlPreviewService.ts b/packages/backend/src/server/web/UrlPreviewService.ts
index 160cf37c00..da2660ab0f 100644
--- a/packages/backend/src/server/web/UrlPreviewService.ts
+++ b/packages/backend/src/server/web/UrlPreviewService.ts
@@ -139,6 +139,13 @@ export class UrlPreviewService {
 			return;
 		}
 
+		// Enforce HTTP(S) for input URLs
+		const urlScheme = this.utilityService.getUrlScheme(url);
+		if (urlScheme !== 'http:' && urlScheme !== 'https:') {
+			reply.code(400);
+			return;
+		}
+
 		const lang = request.query.lang;
 		if (Array.isArray(lang)) {
 			reply.code(400);