Lines 3791-3831javascript
3792function _validateSlugFormat(slug, fieldLabel, allowSlash) {
3793 if (typeof slug !== "string") return null;
3794 // Length cap (full slug). Browsers/CDNs typically cap URLs ~2000 chars;
3795 // most CMSes cap slugs ~200. Hard cap before any other check to avoid
3796 // wasting cycles on a deliberately massive payload.
3797 if (slug.length > SLUG_MAX_LENGTH) {
3798 return `${fieldLabel} is ${slug.length} chars (max ${SLUG_MAX_LENGTH}). BD URL slugs over this length break browsers, CDNs, and email clients.`;
3800 // Reject NFKC-non-canonical slugs. NFKC compatibility-decomposes
3801 // Unicode chars that visually look like other chars (e.g. `ffi`
3802 // U+FB03 → `ffi`, full-width digits → ASCII digits, etc.). Two
3803 // slugs that decompose to the same canonical form should be the
3804 // SAME slug; allowing both creates phishing-equivalent duplicates
3805 // that bypass the duplicate-pair guard. We reject the non-
3806 // canonical form and tell the agent to use the decomposed version.
3807 const normalized = slug.normalize("NFKC");
3808 if (normalized !== slug) {
3809 return `${fieldLabel} '${slug}' contains characters that decompose to a different form under Unicode NFKC normalization (canonical: '${normalized}'). Use the canonical form to avoid creating phishing-equivalent duplicates.`;
3811 if (/[\s--]/.test(slug)) {
CriticalTrojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
index.jsView on unpkg · L3811 3812 return `${fieldLabel} '${slug}' contains whitespace or invisible characters, which are not allowed in BD URLs. Use hyphens instead (e.g. 'my-page' not 'my page').`;
3814 // Control + bidi chars (\p{C} = control + format + private-use, covers
3815 // RTL override U+202E + every C0/C1 control + ZWSP-class redundantly).
3816 // Future-proof: new Unicode releases that add bidi-control or format
3817 // chars are auto-rejected without spec maintenance.
3818 if (/\p{C}/u.test(slug)) {
3819 return `${fieldLabel} '${slug}' contains control or bidi-override characters (e.g. RTL override U+202E). These enable phishing-display attacks where a slug visually renders differently than its actual content.`;
3821 // Trailing dot: some routers (IIS, Windows) normalize trailing dots
3822 // away, making `about.` a duplicate-equivalent of `about`. Reject so
3823 // both can't coexist on platforms with that quirk.
3824 if (slug.endsWith(".")) {
3825 return `${fieldLabel} '${slug}' ends with a dot. Some web servers (IIS, Windows) silently strip trailing dots, making the slug a duplicate of the same name without the dot. Remove the trailing dot.`;
3827 // URL-reserved chars + RFC 3986 reserved chars + chars that enable
3828 // phishing-link shapes (`javascript:alert(1)` via `:` + `(` + `)`).
3829 // Asymmetric reject of `'` vs `"` in earlier versions left an SQLi-shape
3830 // gap. Now both blocked.
3831 // BD URL slugs (`filename`, `subscription_filename`, `post_filename`,