Problem
Six affiliate adapters validate only whether destinationUrl can be parsed by new URL(). That constructor also accepts non-web schemes such as javascript:, data:, mailto:, and ftp:.
Affected adapters:
- eBay Partner
- FlexOffers
- Rakuten
- ShareASale
- Sovrn
- Tradedoubler
For example, eBay can return a javascript: destination with tracking query parameters, while redirect-style adapters can encode a non-web destination into their tracking URL.
Expected behavior
Affiliate tracking links should accept only absolute HTTP or HTTPS destination URLs and reject every other protocol consistently.
I have a focused regression for each affected adapter and a shared validation fix ready. The focused suite passes 69 tests after the fix.
Problem
Six affiliate adapters validate only whether
destinationUrlcan be parsed bynew URL(). That constructor also accepts non-web schemes such asjavascript:,data:,mailto:, andftp:.Affected adapters:
For example, eBay can return a
javascript:destination with tracking query parameters, while redirect-style adapters can encode a non-web destination into their tracking URL.Expected behavior
Affiliate tracking links should accept only absolute HTTP or HTTPS destination URLs and reject every other protocol consistently.
I have a focused regression for each affected adapter and a shared validation fix ready. The focused suite passes 69 tests after the fix.