<p></p>
<p><b>@AntonKhorev</b> commented on this pull request.</p>

<hr>

<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/5439#discussion_r1898169512">app/models/social_link.rb</a>:</p>
<pre style='color:#555'>> +#  created_at :datetime         not null
+#  updated_at :datetime         not null
+#
+# Indexes
+#
+#  index_social_links_on_user_id  (user_id)
+#
+# Foreign Keys
+#
+#  fk_rails_...  (user_id => users.id)
+#
+
+class SocialLink < ApplicationRecord
+  belongs_to :user
+
+  validates :url, :presence => true, :format => { :with => URI::DEFAULT_PARSER.make_regexp(%w[http https]), :message => I18n.t("profiles.edit.social_links.http_parse_error") }
</pre>
<p dir="auto">This doesn't check if <code class="notranslate">url</code> starts with <code class="notranslate">http://</code>.</p>
<p dir="auto">And if you also disable CSP:<br>
<a href="https://github.com/user-attachments/assets/52f7c65d-f423-4093-8483-63e236e0e6df">image.png (view on web)</a></p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/pull/5439#pullrequestreview-2523564622">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AAK2OLIL2PBL4ITXJEISPBT2HSSEVAVCNFSM6AAAAABUCYTSJCVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDKMRTGU3DINRSGI">unsubscribe</a>.<br />You are receiving this because you are subscribed to this thread.<img src="https://github.com/notifications/beacon/AAK2OLMI47GAQIJ5PIIFM4L2HSSEVA5CNFSM6AAAAABUCYTSJCWGG33NNVSW45C7OR4XAZNRKB2WY3CSMVYXKZLTORJGK5TJMV32UY3PNVWWK3TUL5UWJTUWNKFE4.gif" height="1" width="1" alt="" /><span style="color: transparent; font-size: 0; display: none; visibility: hidden; overflow: hidden; opacity: 0; width: 0; height: 0; max-width: 0; max-height: 0; mso-hide: all">Message ID: <span><openstreetmap/openstreetmap-website/pull/5439/review/2523564622</span><span>@</span><span>github</span><span>.</span><span>com></span></span></p>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/openstreetmap/openstreetmap-website/pull/5439#pullrequestreview-2523564622",
"url": "https://github.com/openstreetmap/openstreetmap-website/pull/5439#pullrequestreview-2523564622",
"name": "View Pull Request"
},
"description": "View this Pull Request on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>