From cf7febeb94f1bb27ddf289fc2421765c5afd6a0a Mon Sep 17 00:00:00 2001 From: Zeyu Zhang <39144422+zeyu2001@users.noreply.github.com> Date: Tue, 16 Jul 2024 17:25:54 +0800 Subject: [PATCH] docs: baseOrigin --- packages/validators/README.md | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/packages/validators/README.md b/packages/validators/README.md index bcf36a4..9e9462c 100644 --- a/packages/validators/README.md +++ b/packages/validators/README.md @@ -10,10 +10,17 @@ Validates URLs against a whitelist of allowed protocols and hostnames, preventin `options?`: `` -- `baseOrigin`: `` - The base origin to use for relative URLs. If no base origin is provided, relative URLs will be considered invalid. An origin does not include the path or query parameters. For example, a valid base origin is `https://example.com`. +- `baseOrigin`: `` - The base origin to use for relative URLs. If no base origin is provided, relative URLs will be considered invalid. + + An origin does not include the path or query parameters. For example, a valid base origin is `https://example.com` or `http://localhost:3000`. + - `whitelist`: `` - - `protocols`: `` - A list of allowed protocols. If no protocols are provided, the validator will use the default protocols: `['http', 'https']`. **Caution: allowing `javascript` or `data` protocols can lead to XSS vulnerabilities.** - - `hostnames`: `` - A list of allowed hostnames. If no hostnames are provided, the validator will allow any hostname. **It is recommended to provide a list of allowed hostnames to prevent open redirects.** + - `protocols`: `` - A list of allowed protocols. If no protocols are provided, the validator will use the default protocols: `['http', 'https']`. + + **Caution: allowing `javascript` or `data` protocols can lead to XSS vulnerabilities.** + - `hostnames`: `` - A list of allowed hostnames. If no hostnames are provided, the validator will allow any hostname. + + **It is recommended to provide a list of allowed hostnames to prevent open redirects.** If no options are provided, the validator will use the default options: