Skip to content

Trustarc - added integration scripts to top of head#2285

Open
gabrielvigil-mixpanel wants to merge 21 commits intomainfrom
trustarc-scripts
Open

Trustarc - added integration scripts to top of head#2285
gabrielvigil-mixpanel wants to merge 21 commits intomainfrom
trustarc-scripts

Conversation

@gabrielvigil-mixpanel
Copy link
Contributor

@gabrielvigil-mixpanel gabrielvigil-mixpanel commented Dec 19, 2025
edited by tiffanyqi
Loading

@vercel
Copy link

vercel bot commented Dec 19, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs Ready Ready Preview, Comment Mar 12, 2026 11:10pm

Request Review

@tiffanyqi tiffanyqi marked this pull request as ready for review March 4, 2026 18:19
@tiffanyqi tiffanyqi requested a review from a team as a code owner March 4, 2026 18:19
@tiffanyqi tiffanyqi requested review from Tofufu and removed request for a team March 4, 2026 18:19
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 12, 2026
View reviewed changes
components/VideoButtonWithModal/VideoButtonWithModal.tsx
"nx-flex nx-items-center nx-px-2 nx-py-1 nx-text-xs nx-font-semibold nx-text-purple140 nx-shadow-sm focus-visible:nx-outline focus-visible:nx-outline-2 focus-visible:nx-outline-offset-2 focus-visible:nx-outline-purple140";

function getLoomShareURL(embedURL: string): string | null {
if (!embedURL.includes("loom.com")) {

Check failure

Code scanning / CodeQL

Incomplete URL substring sanitization High

'
loom.com
Loading
' can be anywhere in the URL, and arbitrary hosts may come before or after it.

Copilot Autofix

AI 4 days ago

In general, the fix is to stop using a substring check on the entire URL string and instead parse the URL, then verify that its hostname is an expected Loom host (for example loom.com or www.loom.com) before transforming it. This prevents URLs from other domains that merely contain loom.com somewhere in the path or query from being mistaken for Loom URLs.

Concretely, in components/VideoButtonWithModal/VideoButtonWithModal.tsx, we should update getLoomShareURL to:

  1. Safely construct a URL object from embedURL, catching any parsing errors and returning null if parsing fails.
  2. Check that url.hostname is exactly an allowed Loom host (e.g. 'loom.com' or 'www.loom.com').
  3. If the host is allowed, convert the path from /embed/VIDEO_ID to /share/VIDEO_ID without doing a global string replace on the entire URL; instead, operate on the pathname and then reconstruct the URL via the URL object.
  4. Return the full transformed URL string using url.toString().

We only need to change the getLoomShareURL function; all imports stay as-is since URL is available globally in modern browsers/Node, and this is a React/TSX file which runs in such environments. The rest of the component logic remains the same.

Suggested changeset 1
components/VideoButtonWithModal/VideoButtonWithModal.tsx

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/components/VideoButtonWithModal/VideoButtonWithModal.tsx b/components/VideoButtonWithModal/VideoButtonWithModal.tsx
--- a/components/VideoButtonWithModal/VideoButtonWithModal.tsx
+++ b/components/VideoButtonWithModal/VideoButtonWithModal.tsx
@@ -16,11 +16,25 @@
   "nx-flex nx-items-center nx-px-2 nx-py-1 nx-text-xs nx-font-semibold nx-text-purple140 nx-shadow-sm focus-visible:nx-outline focus-visible:nx-outline-2 focus-visible:nx-outline-offset-2 focus-visible:nx-outline-purple140";
 
 function getLoomShareURL(embedURL: string): string | null {
-  if (!embedURL.includes("loom.com")) {
+  try {
+    const url = new URL(embedURL);
+    const allowedHosts = new Set(["loom.com", "www.loom.com"]);
+
+    if (!allowedHosts.has(url.hostname)) {
+      return null;
+    }
+
+    // Convert loom.com/embed/VIDEO_ID to loom.com/share/VIDEO_ID
+    if (url.pathname.startsWith("/embed/")) {
+      url.pathname = url.pathname.replace("/embed/", "/share/");
+      return url.toString();
+    }
+
     return null;
+  } catch {
+    // If the URL is invalid, treat it as non-Loom
+    return null;
   }
-  // Convert loom.com/embed/VIDEO_ID to loom.com/share/VIDEO_ID
-  return embedURL.replace("/embed/", "/share/");
 }
 
 export default function VideoButtonWithModal({
EOF
@@ -16,11 +16,25 @@
"nx-flex nx-items-center nx-px-2 nx-py-1 nx-text-xs nx-font-semibold nx-text-purple140 nx-shadow-sm focus-visible:nx-outline focus-visible:nx-outline-2 focus-visible:nx-outline-offset-2 focus-visible:nx-outline-purple140";

function getLoomShareURL(embedURL: string): string | null {
if (!embedURL.includes("loom.com")) {
try {
const url = new URL(embedURL);
const allowedHosts = new Set(["loom.com", "www.loom.com"]);

if (!allowedHosts.has(url.hostname)) {
return null;
}

// Convert loom.com/embed/VIDEO_ID to loom.com/share/VIDEO_ID
if (url.pathname.startsWith("/embed/")) {
url.pathname = url.pathname.replace("/embed/", "/share/");
return url.toString();
}

return null;
} catch {
// If the URL is invalid, treat it as non-Loom
return null;
}
// Convert loom.com/embed/VIDEO_ID to loom.com/share/VIDEO_ID
return embedURL.replace("/embed/", "/share/");
}

export default function VideoButtonWithModal({
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tiffanyqi tiffanyqi tiffanyqi approved these changes

@Tofufu Tofufu Awaiting requested review from Tofufu Tofufu is a code owner automatically assigned from mixpanel/docs-reviewers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gabrielvigil-mixpanel @tiffanyqi