From c4023095f5ca7fd63cde8bf9773c5a9edcae8b49 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Darius=20Nea=C8=9Bu?= <neatudarius@gmail.com>
Date: Wed, 1 Apr 2026 02:58:21 +0300
Subject: [PATCH] Potential fix for code scanning alert no. 1: Incomplete URL
 substring sanitization

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/components/youtube-transformer.js | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/src/components/youtube-transformer.js b/src/components/youtube-transformer.js
index 8c7c346..f0475fd 100644
--- a/src/components/youtube-transformer.js
+++ b/src/components/youtube-transformer.js
@@ -1,12 +1,28 @@
 const YouTubeTransformer = {
   name: "YouTube",
   shouldTransform(url) {
-    return url.includes("youtube.com") || url.includes("youtu.be");
+    try {
+      const parsed = new URL(url);
+      const hostname = parsed.hostname.toLowerCase();
+      const allowedHosts = [
+        "youtube.com",
+        "www.youtube.com",
+        "m.youtube.com",
+        "youtu.be",
+        "www.youtu.be"
+      ];
+      return allowedHosts.includes(hostname);
+    } catch (e) {
+      // If the URL cannot be parsed, it cannot be a valid YouTube URL.
+      return false;
+    }
   },
   getHTML(url) {
-    const videoId = url.includes("youtu.be")
-      ? url.split("/").pop()
-      : new URL(url).searchParams.get("v");
+    const urlObj = new URL(url);
+    const isShort = urlObj.hostname.toLowerCase() === "youtu.be" || urlObj.hostname.toLowerCase() === "www.youtu.be";
+    const videoId = isShort
+      ? urlObj.pathname.split("/").filter(Boolean).pop()
+      : urlObj.searchParams.get("v");
 
     return `
       <iframe