Chat- Invalid URL can be parsed by adding https:// to the URL in title

[lanitochka17]

If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!

---

Action Performed:

1. Go to http://staging.new.expensify.com/
2. Open a conversation
3. Enter and send the link https://giphy-.com/gifs/tiktok-cat-kitty-lazy-cOd2FsYUiRzWkaA2DX
4. Enter and send link https://-giphy.com/gifs/tiktok-cat-kitty-lazy-cOd2FsYUiRzWkaA2DX
5. Enter and send the link [chill] (https://giphy-.com/gifs/tiktok-cat-kitty-lazy-cOd2FsYUiRzWkaA2DX)
6. Enter and send the link [chill] (https://-giphy.com/gifs/tiktok-cat-kitty-lazy-cOd2FsYUiRzWkaA2DX)
7. Tap on all the link

Expected Result:

If name + incorrect format URL or If URL in incorrect format, it should not be hyperlinked and must not be directed to expensify site
If name + URL started with hyphen or if URL is started with hyphen, excluding the hyphen, all text must be hyperlinked

Actual Result:

If (https://
)URL in incorrect format, it should not be hyperlinked but it is directed to expensify site
If (https://
)URL is started with hyphen, excluding the hyphen, all text must be hyperlinked. But here, entire text with hyphen shown as hyperlink and directed to expensify site

Workaround:

Unknown

Platforms:

Which of our officially supported platforms is this issue occurring on?

• Android / native
• Android / Chrome
• iOS / native
• iOS / Safari
• MacOS / Chrome / Safari
• MacOS / Desktop

Version Number: 1.3.44.0

Reproducible in staging?: Yes

Reproducible in production?: Yes

If this was caught during regression testing, add the test name, ID and link from TestRail:

Email or phone of affected tester (no customers):

Logs: https://stackoverflow.com/c/expensify/questions/4856

Notes/Photos/Videos: Any additional supporting documentation

Bug6138610_chill.mp4

Expensify/Expensify Issue URL:

Issue reported by: Applause - Internal Team

Slack conversation:

View all open jobs on GitHub

[melvin-bot]

Triggered auto assignment to @sophiepintoraetz (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

[melvin-bot]

Bug0 Triage Checklist (Main S/O)

• This "bug" occurs on a supported platform (ensure Platforms in OP are ✅)
• This bug is not a duplicate report (check E/App issues and #expensify-bugs)
  • If it is, comment with a link to the original report, close the issue and add any novel details to the original issue instead
• This bug is reproducible using the reproduction steps in the OP. S/O
  • If the reproduction steps are clear and you're unable to reproduce the bug, check with the reporter and QA first, then close the issue.
  • If the reproduction steps aren't clear and you determine the correct steps, please update the OP.
• This issue is filled out as thoroughly and clearly as possible
  • Pay special attention to the title, results, platforms where the bug occurs, and if the bug happens on staging/production.
• I have reviewed and subscribed to the linked Slack conversation to ensure Slack/Github stay in sync

[ygshbht]

I might be wrong, but from what i see the parsing happens in the backend

[samh-nl]

I'm unable to reproduce what is shown in the video.
The expected & actual result sections of the bug report are furthermore quite hard to follow.

[jjcoffee]

I am able to reproduce on latest main using [chill](https://-giphy.com/gifs/tiktok-cat-kitty-lazy-cOd2FsYUiRzWkaA2DX) but agree that the bug report is very hard to follow! @lanitochka17 Are you able to update the expected & actual result sections as below?

Expected Result:

Invalid URLs containing incorrectly placed hyphens (such as https://-giphy.com/gifs/tiktok-cat-kitty-lazy-cOd2FsYUiRzWkaA2DX) should not be converted to links.

Actual Result:

Invalid URLs are initially converted to links as long as they start with a protocol (e.g. https://), before BE strips the link from the anchor tag, leaving a blank link that on click opens NewDot instead.

[jjcoffee]

Proposal

Please re-state the problem that we are trying to solve in this issue.

URLs with protocol added (e.g. https://) are not autolinked consistently with URLs that do not have the protocol added.

What is the root cause of that problem?

This was introduced by this PR which added a "loose" regex for matching localhost-style URLs (which it applies to any URL which has a protocol (e.g. https://), which is I guess the way to distinguish it from a "normal domain"):

const LOOSE_URL_WEBSITE_REGEX = `${URL_PROTOCOL_REGEX}([-\\w]+(\\.[-\\w]+)*)(?:\\:${ALLOWED_PORTS}|\\b|(?=_))`;

The URL_PROTOCOL_REGEX is reused, but the actual domain regex is different from the URL_WEBSITE_REGEX. This is where the incosistency stems, as it explicitly allows a starting hyphen for the domain (through [-\\w]), whereas URL_WEBSITE_REGEX explicitly disallows the same:

const URL_WEBSITE_REGEX = `${URL_PROTOCOL_REGEX}?((?:www\\.)?[a-z0-9](?:[-a-z0-9]*[a-z0-9])?\\.)+(?:${TLD_REGEX})(?:\\:${ALLOWED_PORTS}|\\b|(?=_))`;

This results in invalid URLs being briefly shown as links by FE (as if they are valid), before the BE strips the URL from the link (as it is invalid).

What changes do you think we should make in order to solve the problem?

I think we want to keep the loose regex to support localhost-style URLs, but tighten it back up so that it still blocks leading (and ending) hyphens. This is easy to do by just reusing the domain part of URL_WEBSITE_REGEX, so that we get:

const LOOSE_URL_WEBSITE_REGEX = `${URL_PROTOCOL_REGEX}([a-z0-9](?:[-a-z0-9]*[a-z0-9])?\\.?)+(?:\\:${ALLOWED_PORTS}|\\b|(?=_))`;

This passes all existing tests here, as well as the following additional tests:

expect(regexToTest.test('http://my.localhost.local-domain')).toBeTruthy();
expect(regexToTest.test('http://-localhost')).toBeFalsy();
expect(regexToTest.test('http://-example.com')).toBeFalsy();
expect(regexToTest.test('http://example-.com')).toBeFalsy();
expect(regexToTest.test('http://my.localhost....local-domain:8080')).toBeFalsy();

[sophiepintoraetz]

@lanitochka17 - can you please clean up the reproduction steps and confirm whether @jjcoffee's steps are clearer expected results?

[sophiepintoraetz]

All right, closing this until we hear from @lanitochka17.

[melvin-bot]

@sophiepintoraetz Be sure to fill out the Contact List!

[jjcoffee]

Looks like this will be handled in #23535