SI-12 for original issue and steps to reproduce.
Extend URL validation introduced in
SI-12 that prevents execution of malicious URLs to prevent saving potentially malicious URL strings.
- Context: Create or edit dashboard widgets with URL fields
- Applies to: URL links defined with a protocol identifier
- Does not apply to: URL link strings defined without a protocol identifier
- Given a string is entered in the URL link field of a dashboard widget
- When a user attempts to save the widget
- And the string is prefixed with a protocol identifier other than `https` or `http`
- Then do not save the record
- And return the user to the widget edit/create screen
- And highlight the invalid field with
- error styling
- error message: "Please enter a valid URL (starts with \"https://\", \"http://\" or \"/\" and doesn't contain special characters not allowed in URLs)"