From 6d8f066a16854841cdd440d1f7eb99977bc56f9f Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Mon, 2 Mar 2026 10:29:12 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[HIGH]=20Fi?=
 =?UTF-8?q?x=20Stored=20XSS=20vulnerability=20in=20deck=20links?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Added a validation check in the `api/app/api/decks/route.ts` file to ensure that all deck links use either the `http://` or `https://` schemes before being stored.

This prevents Stored Cross-Site Scripting (XSS) where an attacker could provide a malicious `javascript:` URL during manual deck text import, which would then be rendered as a clickable link in the frontend `DeckShowcase` component.
---
 api/app/api/decks/route.ts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/api/app/api/decks/route.ts b/api/app/api/decks/route.ts
index f7a4b88..e986623 100644
--- a/api/app/api/decks/route.ts
+++ b/api/app/api/decks/route.ts
@@ -72,6 +72,10 @@ export async function POST(request: NextRequest) {
       return badRequestResponse('Either deckUrl or deckText is required');
     }
 
+    if (link && !link.match(/^https?:\/\//i)) {
+      return badRequestResponse('Deck link must be a valid HTTP or HTTPS URL');
+    }
+
     const commander = parseCommanderFromContent(dck);
     let colorIdentity: string[] | undefined;
     if (commander) {