From 457c187240f2fb583d21b2ebde4ce45922f40acd Mon Sep 17 00:00:00 2001
From: Alex Holliday <ajhollid@gmail.com>
Date: Mon, 3 Mar 2025 14:16:24 -0800
Subject: [PATCH] disallow reserved chars from status page valiation

---
 src/Pages/StatusPage/Create/Components/Tabs/Settings.jsx | 2 ++
 src/Validation/validation.js                             | 9 ++++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/Pages/StatusPage/Create/Components/Tabs/Settings.jsx b/src/Pages/StatusPage/Create/Components/Tabs/Settings.jsx
index 14f7ac20c..0fdf1a9b8 100644
--- a/src/Pages/StatusPage/Create/Components/Tabs/Settings.jsx
+++ b/src/Pages/StatusPage/Create/Components/Tabs/Settings.jsx
@@ -73,6 +73,8 @@ const TabSettings = ({
 							label="Your status page address"
 							value={form.url}
 							onChange={handleFormChange}
+							helperText={errors["url"]}
+							error={errors["url"] ? true : false}
 						/>
 					</Stack>
 				</ConfigBox>
diff --git a/src/Validation/validation.js b/src/Validation/validation.js
index a243b37e8..ed0aaf6b8 100644
--- a/src/Validation/validation.js
+++ b/src/Validation/validation.js
@@ -222,7 +222,14 @@ const statusPageValidation = joi.object({
 		.string()
 		.trim()
 		.messages({ "string.empty": "Company name is required." }),
-	url: joi.string().trim().messages({ "string.empty": "URL is required." }),
+	url: joi
+		.string()
+		.pattern(/^[a-zA-Z0-9_-]+$/) // Only allow alphanumeric, underscore, and hyphen
+		.required()
+		.messages({
+			"string.pattern.base":
+				"URL can only contain letters, numbers, underscores, and hyphens",
+		}),
 	timezone: joi.string().trim().messages({ "string.empty": "Timezone is required." }),
 	color: joi.string().trim().messages({ "string.empty": "Color is required." }),
 	theme: joi.string(),