fix: add strict URL validation with consistent error message

[sahitya-chandra]

What does this PR do?

Added validation for url to have at least one dot in url

• Fixes URL booking question does not have any HTTP validation #22838
• Fixes CAL-6184

Visual Demo (For contributors especially)

Previously, when user passed random input like "sadasad" it passed the url checks...

Screencast.from.2025-07-31.21-39-38.webm

A visual demonstration is strongly recommended, for both the original and new change (video / image - any one).

Video Demo (if applicable):

• Show screen recordings of the issue or feature.
• Demonstrate how to reproduce the issue, the behavior before and after the change.

Image Demo (if applicable):

• Add side-by-side screenshots of the original and updated change.
• Highlight any significant change(s).

Mandatory Tasks (DO NOT REMOVE)

• I have self-reviewed the code (A decent size PR without self-review might be rejected).
• I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. If N/A, write N/A here and check the checkbox.
• I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

• Are there environment variables that should be set?
• What are the minimal test data to have?
• What is expected (happy path) to have (input and output)?
• Any other important info that could help to test that PR

Checklist

• I haven't read the contributing guide
• My code doesn't follow the style guidelines of this project
• I haven't commented my code, particularly in hard-to-understand areas
• I haven't checked if my changes generate no new warnings

[coderabbitai]

Walkthrough

The code change enhances the URL validation logic in the form builder schema's url field type. It modifies the superRefine method to first test if the input string matches a domain-like pattern before prepending "https://". If the domain-like pattern matches, it attempts URL validation on the prefixed string; otherwise, it directly adds a validation error. The previous explicit check for malformed protocols remains unchanged. No changes were made to the signatures of exported or public entities.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~7 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Add HTTP(S) URL validation to the URL booking question, preventing invalid characters (#22838, CAL-6184)	✅

Assessment against linked issues: Out-of-scope changes

No out-of-scope changes were found.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 41ead47 and 42177ce.

📒 Files selected for processing (1)

• packages/features/form-builder/schema.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/features/form-builder/schema.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: Production builds / Build Docs
• GitHub Check: Production builds / Build Web App
• GitHub Check: Production builds / Build Atoms
• GitHub Check: Production builds / Build API v2
• GitHub Check: Tests / Unit
• GitHub Check: Production builds / Build API v1
• GitHub Check: Type check / check-types
• GitHub Check: Linters / lint

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[vercel]

@sahitya-chandra is attempting to deploy a commit to the cal Team on Vercel.

A member of the Team first needs to authorize it.

[graphite-app]

Graphite Automations

"Add consumer team as reviewer" took an action on this PR • (07/31/25)

1 reviewer was added to this PR based on Keith Williams's automation.

"Add community label" took an action on this PR • (07/31/25)

1 label was added to this PR based on Keith Williams's automation.

"Add ready-for-e2e label" took an action on this PR • (08/08/25)

1 label was added to this PR based on Keith Williams's automation.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

packages/features/form-builder/schema.ts (1)

402-413: Simplified validation aligns with PR objectives, but consider required field handling.

The new validation logic successfully implements strict URL validation with consistent error messaging as requested. However, there are a few considerations:

1. Double trimming: The response is trimmed in both preprocess (line 400) and superRefine (line 403). The trimming in superRefine is redundant since preprocessing already handles this.

2. Required field validation: The current logic doesn't explicitly handle the case where a URL field is required but empty. An empty string will fail URL validation and show "Invalid URL" instead of a more appropriate "This field is required" message.

Consider this improvement to handle required fields more appropriately:

  superRefine: ({ response, ctx, m, field, isPartialSchema }) => {
-   const value = response?.trim() ?? "";
+   const value = response ?? "";
    
+   // Handle required field validation first
+   if (field.required && !isPartialSchema && !value) {
+     ctx.addIssue({
+       code: z.ZodIssueCode.custom,
+       message: m("error_required_field"),
+     });
+     return;
+   }
+   
+   // Skip URL validation for empty optional fields
+   if (!value) {
+     return;
+   }

    const urlSchema = z.string().url();

    if (!urlSchema.safeParse(value).success) {
      ctx.addIssue({
        code: z.ZodIssueCode.custom,
        message: m("Invalid URL"),
      });
    }
  },

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2cc7827 and 9625189.

📒 Files selected for processing (1)

• packages/features/form-builder/schema.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

**/*.ts

📄 CodeRabbit Inference Engine (.cursor/rules/review.mdc)

**/*.ts: For Prisma queries, only select data you need; never use include, always use select
Ensure the credential.key field is never returned from tRPC endpoints or APIs

Files:

• packages/features/form-builder/schema.ts

**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/review.mdc)

Flag excessive Day.js use in performance-critical code; prefer native Date or Day.js .utc() in hot paths like loops

Files:

• packages/features/form-builder/schema.ts

🧠 Learnings (2)

📚 Learning: in signup-view.tsx, when checking if redirecturl contains certain strings, using explicit && checks ...

Learnt from: Anshumancanrock
PR: calcom/cal.com#22570
File: apps/web/modules/signup-view.tsx:253-253
Timestamp: 2025-07-21T21:33:23.371Z
Learning: In signup-view.tsx, when checking if redirectUrl contains certain strings, using explicit && checks (redirectUrl && redirectUrl.includes()) is preferred over optional chaining (redirectUrl?.includes()) to ensure the result is always a boolean rather than potentially undefined. This approach provides cleaner boolean contracts for downstream conditional logic.

Applied to files:

• packages/features/form-builder/schema.ts

📚 Learning: in the insightsroutingservice (packages/lib/server/service/insightsrouting.ts), multi-select filter ...

Learnt from: eunjae-lee
PR: calcom/cal.com#22106
File: packages/lib/server/service/insightsRouting.ts:367-368
Timestamp: 2025-07-15T13:02:17.403Z
Learning: In the InsightsRoutingService (packages/lib/server/service/insightsRouting.ts), multi-select filter data is already validated by zod before reaching the buildFormFieldSqlCondition method, so null/undefined values are not present in filterValue.data arrays and don't need to be filtered out.

Applied to files:

• packages/features/form-builder/schema.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: required

🔇 Additional comments (1)

packages/features/form-builder/schema.ts (1)

399-401: LGTM: Preprocessing with trimming is appropriate.

The preprocessing step correctly trims whitespace from URL inputs, which is a good practice for user input sanitization.

[sahitya-chandra]

@volnei @anikdhabal sir can you review this

[anikdhabal]

Looks good

[github-actions]

E2E results are ready!

• Workflow #71082.1 latest results