/**
 * Copyright (c) Meta Platforms, Inc. and affiliates.
 *
 * This source code is licensed under the MIT license found in the
 * LICENSE file in the root directory of this source tree.
 *
 * @flow
 */

import {disableJavaScriptURLs} from 'shared/ReactFeatureFlags';

// A javascript: URL can contain leading C0 control or \u0020 SPACE,
// and any newline or tab are filtered out as if they're not part of the URL.
// https://url.spec.whatwg.org/#url-parsing
// Tab or newline are defined as \r\n\t:
// https://infra.spec.whatwg.org/#ascii-tab-or-newline
// A C0 control is a code point in the range \u0000 NULL to \u001F
// INFORMATION SEPARATOR ONE, inclusive:
// https://infra.spec.whatwg.org/#c0-control-or-space

/* eslint-disable max-len */
const isJavaScriptProtocol =
  /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i;

let didWarn = false;

function sanitizeURL<T>(url: T): T | string {
  // We should never have symbols here because they get filtered out elsewhere.
  // eslint-disable-next-line react-internal/safe-string-coercion
  const stringifiedURL = '' + (url: any);
  if (disableJavaScriptURLs) {
    if (isJavaScriptProtocol.test(stringifiedURL)) {
      // Return a different javascript: url that doesn't cause any side-effects and just
      // throws if ever visited.
      // eslint-disable-next-line no-script-url
      return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
    }
  } else if (__DEV__) {
    if (!didWarn && isJavaScriptProtocol.test(stringifiedURL)) {
      didWarn = true;
      console.error(
        'A future version of React will block javascript: URLs as a security precaution. ' +
          'Use event handlers instead if you can. If you need to generate unsafe HTML try ' +
          'using dangerouslySetInnerHTML instead. React was passed %s.',
        JSON.stringify(stringifiedURL),
      );
    }
  }
  return url;
}

export default sanitizeURL;