From d73c6ebedb27e2ccfd9adba042e20c30207479c5 Mon Sep 17 00:00:00 2001
From: Dave Brondsema <dbrondsema@slashdotmedia.com>
Date: Fri, 14 Jun 2024 10:53:31 -0400
Subject: [PATCH] improve url checks

---
 Allura/allura/lib/validators.py    | 8 ++++----
 Allura/allura/lib/widgets/forms.py | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Allura/allura/lib/validators.py b/Allura/allura/lib/validators.py
index b43f55e5f..c2e5374d1 100644
--- a/Allura/allura/lib/validators.py
+++ b/Allura/allura/lib/validators.py
@@ -509,7 +509,7 @@ class LinkedinValidator(fev.FancyValidator):
     def _convert_to_python(self, value, state):
         if value.startswith('@') and not re.match(FEDIVERSE_REGEX, value):
             value = f'https://linkedin.com/in/{value.replace("@", "")}/'
-        elif 'linkedin.com' not in value:
+        elif not value.startswith('http') or 'linkedin.com' not in value:
             raise fe.Invalid('Invalid Linkedin address', value, state)
         return value
 
@@ -518,7 +518,7 @@ class TwitterValidator(fev.FancyValidator):
     def _convert_to_python(self, value, state):
         if value.startswith('@') and not re.match(FEDIVERSE_REGEX, value):
             value = f'https://twitter.com/{value.replace("@", "")}'
-        elif 'twitter.com' not in value:
+        elif not value.startswith('http') or 'twitter.com' not in value:
             raise fe.Invalid('Invalid Twitter address', value, state)
         return value
 
@@ -527,7 +527,7 @@ class InstagramValidator(fev.FancyValidator):
     def _convert_to_python(self, value, state):
         if value.startswith('@') and not re.match(FEDIVERSE_REGEX, value):
             value = f'https://instagram.com/{value.replace("@", "")}'
-        elif 'instagram.com' not in value:
+        elif not value.startswith('http') or 'instagram.com' not in value:
             raise fe.Invalid('Invalid Instagram address', value, state)
         return value
 
@@ -536,7 +536,7 @@ class FacebookValidator(fev.FancyValidator):
     def _convert_to_python(self, value, state):
         if value.startswith('@') and not re.match(FEDIVERSE_REGEX, value):
             value = f'https://facebook.com/{value.replace("@", "")}'
-        elif 'facebook.com' not in value:
+        elif not value.startswith('http') or 'facebook.com' not in value:
             raise fe.Invalid('Invalid Facebook address', value, state)
         return value
 
diff --git a/Allura/allura/lib/widgets/forms.py b/Allura/allura/lib/widgets/forms.py
index 1c737ba5d..d3c8ddff8 100644
--- a/Allura/allura/lib/widgets/forms.py
+++ b/Allura/allura/lib/widgets/forms.py
@@ -836,7 +836,7 @@ class fields(ew_core.NameList):
             validator=V.JsonValidator(if_empty=''))
         icon = ew.FileField(attrs={'accept': 'image/*'})
         tracking_id = ew.TextField(attrs=(dict(placeholder='UA-123456-0', pattern='UA-[0-9]+-[0-9]+')))
-        project_list_url = ew.TextField()
+        project_list_url = ew.TextField(validator=fev.URL(), attrs=dict(type='url'))
         anchored_tools = ffw.AutoResizeTextarea()
         prohibited_tools = ffw.AutoResizeTextarea()