Potential fix for code scanning alert no. 1: Incomplete URL substring sanitization

[neatudarius]

Potential fix for https://github.com/bemanproject/website/security/code-scanning/1

In general, to fix incomplete URL substring sanitization, you should parse the URL with a standard URL parser and then compare the hostname (or host) against an explicit set of allowed domains (and, if needed, their well‑defined subdomain patterns), instead of checking for substrings anywhere in the URL string.

For this specific code, the best fix without changing intended functionality is to (1) parse the url argument using the built‑in URL class, (2) inspect hostname to see whether it is one of the known YouTube hosts (youtube.com, www.youtube.com, m.youtube.com, youtu.be, etc.), and (3) only return true from shouldTransform when the hostname matches one of these allowed values. We should also ensure that getHTML derives the videoId based on the same hostname logic, so that it correctly handles both youtube.com and youtu.be URLs and is robust against malformed inputs. To avoid breaking behavior, we will preserve the existing embed generation but make the shouldTransform check more precise. Concretely, inside src/components/youtube-transformer.js, we will replace the substring logic in shouldTransform with a try { new URL(url) } catch block, extract hostname, and compare it against an allowedHosts array. We will also align the youtu.be check in getHTML to use parsed hostname (urlObj.hostname === "youtu.be") rather than the previous naive includes check, ensuring consistency. No extra imports are needed as URL is part of the Node.js / browser standard library.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[netlify]

✅ Deploy Preview for bemanproject ready!

Name	Link
🔨 Latest commit	c402309
🔍 Latest deploy log	https://app.netlify.com/projects/bemanproject/deploys/69cc5fa25084f60008f552cd
😎 Deploy Preview	https://deploy-preview-157--bemanproject.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[Copilot]

Pull request overview

Updates the site’s YouTube embed transformer to address a code scanning alert about incomplete URL substring sanitization by switching from substring checks to URL parsing and hostname allowlisting.

Changes:

• Replace shouldTransform substring matching with new URL(url) parsing and an explicit allowedHosts hostname allowlist.
• Update getHTML to determine youtu.be vs youtube.com handling via parsed hostname and pathname rather than naive string matching.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

videoId is derived from untrusted URL components (searchParams.get("v") / path segment) and then interpolated directly into an HTML attribute. A crafted URL can include quotes in the v parameter (e.g. ?v=" onload=...) which would break out of src="..." and enable HTML injection/XSS in the generated site. Validate the extracted videoId against the expected YouTube ID format (typically 11 chars [A-Za-z0-9_-]) and/or ensure it is safely encoded before interpolation; if invalid/missing, avoid transforming the URL (or return a safe fallback) instead of embedding null/unsafe content.

Suggested change

	const videoId = isShort
	? urlObj.pathname.split("/").filter(Boolean).pop()
	: urlObj.searchParams.get("v");
	const rawVideoId = isShort
	? urlObj.pathname.split("/").filter(Boolean).pop()
	: urlObj.searchParams.get("v");
	const videoIdPattern = /^[A-Za-z0-9_-]{11}$/;
	const videoId =
	typeof rawVideoId === "string" && videoIdPattern.test(rawVideoId)
	? rawVideoId
	: null;
	if (!videoId) {
	// Invalid or missing video ID; avoid generating an embed to prevent XSS.
	return "";
	}