[backport cloud/1.34] fix: allow dots in template URL parameter for version numbers (#7328)

Backport of #7325 to `cloud/1.34` Automatically created by backport workflow. ┆Issue is synchronized with this [Notion page](https://www.notion.so/PR-7328-backport-cloud-1-34-fix-allow-dots-in-template-URL-parameter-for-version-numbers-2c56d73d36508192b2b6f90a0562029d) by [Unito](https://www.unito.io) Co-authored-by: Johnpaul Chiwetelu <49923152+Myestery@users.noreply.github.com>
2026-02-02 06:19:58 +00:00 · 2025-12-11 09:13:06 +09:00
parent 432c1e8e33
commit 562db3b0d9
2 changed files with 5 additions and 2 deletions
--- a/src/platform/workflow/templates/composables/useTemplateUrlLoader.ts
+++ b/src/platform/workflow/templates/composables/useTemplateUrlLoader.ts
@@ -33,9 +33,11 @@ export function useTemplateUrlLoader() {

  /**
   * Validates parameter format to prevent path traversal and injection attacks
+   * Allows: letters, numbers, underscores, hyphens, and dots (for version numbers)
+   * Blocks: path separators (/, \), special chars that could enable injection
   */
  const isValidParameter = (param: string): boolean => {
-    return /^[a-zA-Z0-9_-]+$/.test(param)
+    return /^[a-zA-Z0-9_.-]+$/.test(param)
  }

  /**
--- a/tests-ui/tests/platform/workflow/templates/composables/useTemplateUrlLoader.test.ts
+++ b/tests-ui/tests/platform/workflow/templates/composables/useTemplateUrlLoader.test.ts
@@ -187,7 +187,8 @@ describe('useTemplateUrlLoader', () => {
      'flux_simple',
      'flux-kontext-dev',
      'template123',
-      'My_Template-2'
+      'My_Template-2',
+      'templates-1_click_multiple_scene_angles-v1.0' // template with version number containing dot
    ]

    for (const template of validTemplates) {