Sanitize request.url_root to prevent Host header injection in documentation route

[Copilot]

request.url_root is derived from the HTTP Host header and was being used directly in string replacement when rendering the API docs page, making the rendered Markup() output potentially attacker-influenced.

Changes

• Sanitize URL root: Parse request.url_root with urlparse() and reconstruct using only scheme + netloc, stripping any injected path, query string, or fragment
• Tighten # nosec: Replace blanket # nosec with # nosec B704 and update the comment to accurately reflect why it's safe

parsed = urlparse(request.url_root)
safe_url_root = f"{parsed.scheme}://{parsed.netloc}/"
html_content = markdown.markdown(content.replace('http://localhost/', safe_url_root))
return Markup(html_content)  # nosec B704

Examples of what gets neutralized:

• https://evil.com/http://localhost/ → https://evil.com/
• http://example.com?q=<script>alert(1)</script> → http://example.com/
• http://example.com/../../../etc/passwd → http://example.com/

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.