		@@ -0,1 +1,23 @@
		export type Options = {
		/**
		Only allow HTTP(S) protocols.

		When set to `false`, any valid absolute URL will be accepted, including potentially unsafe protocols like `javascript:`, `ftp:`, `ws:`, etc.

		@default true

		@example
		```
		import isAbsoluteUrl from 'is-absolute-url';

		isAbsoluteUrl('javascript:alert(1)');
		//=> false

		isAbsoluteUrl('javascript:alert(1)', {httpOnly: false});
		//=> true
		```
		*/
		readonly httpOnly?: boolean;
		};

		/**
		@@ -5,2 +27,3 @@ Check if a URL is absolute.
		@param url - The URL to check.
		@param options - Options to customize the behavior.

		@@ -11,3 +34,3 @@ @example

		isAbsoluteUrl('http://sindresorhus.com/foo/bar');
		isAbsoluteUrl('https://sindresorhus.com/foo/bar');
		//=> true
		@@ -20,4 +43,10 @@
		//=> false

		isAbsoluteUrl('javascript:alert(1)');
		//=> false

		isAbsoluteUrl('javascript:alert(1)', {httpOnly: false});
		//=> true
		```
		*/
		export default function isAbsoluteUrl(url: string): boolean;
		export default function isAbsoluteUrl(url: string, options?: Options): boolean;

index.js

		@@ -8,3 +8,6 @@ // Scheme: https://tools.ietf.org/html/rfc3986#section-3.1

		export default function isAbsoluteUrl(url) {
		// HTTP(S) protocols only for maximum security
		const HTTP_PROTOCOLS_REGEX = /^https?:/i;

		export default function isAbsoluteUrl(url, options = {}) {
		if (typeof url !== 'string') {
		@@ -18,3 +21,16 @@ throw new TypeError(`Expected a \`string\`, got \`${typeof url}\``);

		return ABSOLUTE_URL_REGEX.test(url);
		if (!ABSOLUTE_URL_REGEX.test(url)) {
		return false;
		}

		// Default httpOnly to true for security
		const {httpOnly = true} = options;

		// When httpOnly is false, allow any absolute URL
		if (!httpOnly) {
		return true;
		}

		// When httpOnly is true, only allow HTTP(S) protocols
		return HTTP_PROTOCOLS_REGEX.test(url);
		}

package.json

		{
		"name": "is-absolute-url",
		"version": "4.0.1",
		"version": "5.0.0",
		"description": "Check if a URL is absolute",
		@@ -14,8 +14,12 @@ "license": "MIT",
		"type": "module",
		"exports": "./index.js",
		"exports": {
		"types": "./index.d.ts",
		"default": "./index.js"
		},
		"sideEffects": false,
		"engines": {
		"node": "^12.20.0 \|\| ^14.13.1 \|\| >=16.0.0"
		"node": ">=20"
		},
		"scripts": {
		"test": "xo && ava && tsd"
		"test": "xo && ava"
		},
		@@ -34,6 +38,5 @@ "files": [
		"devDependencies": {
		"ava": "^3.15.0",
		"tsd": "^0.17.0",
		"xo": "^0.44.0"
		"ava": "^6.4.1",
		"xo": "^1.2.2"
		}
		}

readme.md

		@@ -7,5 +7,5 @@ # is-absolute-url

		```sh
		npm install is-absolute-url
		```
		$ npm install is-absolute-url
		```

		@@ -25,18 +25,37 @@ ## Usage
		//=> false

		isAbsoluteUrl('javascript:alert(1)');
		//=> false

		isAbsoluteUrl('javascript:alert(1)', {httpOnly: false});
		//=> true
		```

		## API

		### isAbsoluteUrl(url, options?)

		#### url

		Type: `string`

		The URL to check.

		#### options

		Type: `object`

		##### httpOnly

		Type: `boolean`\
		Default: `true`

		Only allow HTTP(S) protocols.

		When set to `false`, any valid absolute URL will be accepted, including potentially unsafe protocols like `javascript:`, `ftp:`, `ws:`, etc.

		> Warning: Setting `httpOnly` to `false` can pose security risks as it will return `true` for URLs with protocols like `javascript:`, `vbscript:`, `data:`, `ftp:`, `ws:`, etc. Only set this to `false` if you understand the implications and have appropriate safeguards in place.

		## Related

		See [is-relative-url](https://github.com/sindresorhus/is-relative-url) for the inverse.

		---

		<div align="center">
		<b>
		<a href="https://tidelift.com/subscription/pkg/npm-is-absolute-url?utm_source=npm-is-absolute-url&utm_medium=referral&utm_campaign=readme">Get professional support for this package with a Tidelift subscription</a>
		</b>
		<br>
		<sub>
		Tidelift helps make open source sustainable for maintainers while giving companies<br>assurances about security, maintenance, and licensing for their dependencies.
		</sub>
		</div>

is-absolute-url - npm Package Compare versions

Improved metrics