From f8578a2176dccb365d2548ad27b63ec0788f059f Mon Sep 17 00:00:00 2001
From: Rene Fichtmueller <renefichtmueller@MacBook-Pro-von-Rene.local>
Date: Sat, 28 Mar 2026 22:28:21 +0800
Subject: [PATCH] fix(server): catch invalid URL in HTTP handler to prevent
 XSS-probe crashes

new URL() throws ERR_INVALID_URL on malformed inputs like XSS probe
requests (e.g. //brusEYkk%22%3E%3Cscript%3E...). Uncaught exception
caused memory leak and process restarts. Return HTTP 400 instead.
---
 server.js | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/server.js b/server.js
index 96fc6c6..c223cb6 100644
--- a/server.js
+++ b/server.js
@@ -967,8 +967,14 @@ const server = http.createServer(async (req, res) => {
     return res.end();
   }
 
-  const url = new URL(req.url, "http://localhost");
-  const reqPath = url.pathname;
+  let url, reqPath;
+  try {
+    url = new URL(req.url, "http://localhost");
+    reqPath = url.pathname;
+  } catch (_urlErr) {
+    res.writeHead(400);
+    return res.end("Bad Request");
+  }
 
   // Serve static files
   if (reqPath === "/" || reqPath === "/index.html") {