From e83cf0f5f6e12ea7964d3940492ad06fe46f38b4 Mon Sep 17 00:00:00 2001
From: Johnpaul Chiwetelu <49923152+Myestery@users.noreply.github.com>
Date: Thu, 11 Dec 2025 00:50:35 +0100
Subject: [PATCH] fix: allow dots in template URL parameter for version numbers
 (#7325)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Summary
- Template names with dots (e.g.,
`templates-1_click_multiple_scene_angles-v1.0`) were being rejected by
the URL parameter validation
- Updated validation regex from `^[a-zA-Z0-9_-]+$` to
`^[a-zA-Z0-9_.-]+$` to allow dots for version numbers

## Test plan
- [x] Unit tests updated and passing
- [ ] Verify `?template=templates-1_click_multiple_scene_angles-v1.0`
loads correctly

┆Issue is synchronized with this [Notion
page](https://www.notion.so/PR-7325-fix-allow-dots-in-template-URL-parameter-for-version-numbers-2c56d73d365081d48c28f20d979846d7)
by [Unito](https://www.unito.io)
---
 .../workflow/templates/composables/useTemplateUrlLoader.ts    | 4 +++-
 .../templates/composables/useTemplateUrlLoader.test.ts        | 3 ++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/platform/workflow/templates/composables/useTemplateUrlLoader.ts b/src/platform/workflow/templates/composables/useTemplateUrlLoader.ts
index 0305acaf7..0d3d3a4ac 100644
--- a/src/platform/workflow/templates/composables/useTemplateUrlLoader.ts
+++ b/src/platform/workflow/templates/composables/useTemplateUrlLoader.ts
@@ -33,9 +33,11 @@ export function useTemplateUrlLoader() {
 
   /**
    * Validates parameter format to prevent path traversal and injection attacks
+   * Allows: letters, numbers, underscores, hyphens, and dots (for version numbers)
+   * Blocks: path separators (/, \), special chars that could enable injection
    */
   const isValidParameter = (param: string): boolean => {
-    return /^[a-zA-Z0-9_-]+$/.test(param)
+    return /^[a-zA-Z0-9_.-]+$/.test(param)
   }
 
   /**
diff --git a/tests-ui/tests/platform/workflow/templates/composables/useTemplateUrlLoader.test.ts b/tests-ui/tests/platform/workflow/templates/composables/useTemplateUrlLoader.test.ts
index 650fa817c..7cd9453f6 100644
--- a/tests-ui/tests/platform/workflow/templates/composables/useTemplateUrlLoader.test.ts
+++ b/tests-ui/tests/platform/workflow/templates/composables/useTemplateUrlLoader.test.ts
@@ -187,7 +187,8 @@ describe('useTemplateUrlLoader', () => {
       'flux_simple',
       'flux-kontext-dev',
       'template123',
-      'My_Template-2'
+      'My_Template-2',
+      'templates-1_click_multiple_scene_angles-v1.0' // template with version number containing dot
     ]
 
     for (const template of validTemplates) {