fix(explore): Increase strictness on URLs#115881
Conversation
URL.parse accepts hostnames like * or {host} that are not real navigable
hosts. Reject wildcard and template characters so these render as plain
text instead of clickable links.
Refs EXP-957
Co-Authored-By: Composer <noreply@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Switch event detail surfaces from isUrl to isValidUrl so wildcard and template hostnames are not treated as navigable links. Refs EXP-957 Co-Authored-By: Composer <noreply@cursor.com> Co-authored-by: Cursor <cursoragent@cursor.com>
Switch Discover field renderers and cell actions from isUrl to isValidUrl, and add coverage for wildcard URL span names. Refs EXP-957 Co-Authored-By: Composer <noreply@cursor.com> Co-authored-by: Cursor <cursoragent@cursor.com>
Switch Explore attribute trees and field renderers from isUrl to isValidUrl, and add coverage for wildcard URL span names. Refs EXP-957 Co-Authored-By: Composer <noreply@cursor.com> Co-authored-by: Cursor <cursoragent@cursor.com>
Switch tag details and trace request sections from isUrl to isValidUrl so wildcard hostnames are not treated as navigable links. Refs EXP-957 Co-Authored-By: Composer <noreply@cursor.com> Co-authored-by: Cursor <cursoragent@cursor.com>
github-actions
Bot
added
the
Scope: Frontend
|
@cursor review |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 02075b2. Configure here.
📊 Type Coverage Diff✅ No new type safety issues introduced. Coverage: 93.57% |
Tighten isValidUrl to reject template characters in the URL authority. Add renderUrlCellValue so valid URLs use ExternalLink with the external-link modal while invalid URLs stay plain text. Restrict cell action "Open link" to same-origin paths so stripURLOrigin no longer turns wildcard hosts into in-app routes. Refs EXP-957 Co-Authored-By: Composer <noreply@cursor.com> Co-authored-by: Cursor <cursoragent@cursor.com>
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 9ae8c88. Configure here.
JoshuaKGoldberg
left a comment
JoshuaKGoldberg
left a comment
There was a problem hiding this comment.
I think there's one bug around duplicate/inverse checking for valid value. But otherwise LGTM!
JoshuaKGoldberg
left a comment
JoshuaKGoldberg
left a comment
There was a problem hiding this comment.
The added deduplication is a nice touch. ✨
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 8bb9cc9. Configure here.
String formatter used slice(-1), which returns a one-element array. After renderUrlCellValue, that showed (no value) instead of the tail value for tag fields stored as arrays. Refs EXP-957 Co-Authored-By: Composer <noreply@cursor.com> Co-authored-by: Cursor <cursoragent@cursor.com>
Render numeric and boolean fallback values instead of treating every non-string URL cell value as missing. This keeps measurement fields visible when they use the string renderer because response metadata is incomplete. Co-Authored-By: OpenAI Codex <codex@openai.com>
2 participants
The goal of this PR is to be a bit more strict when it comes to URLs so that we don't allow link cell actions, etc. to take place for a URL like
http://*/api/cool-endpoint.Closes EXP-957
Before:
After:
