chore: add a little extra validation

[43081j]

This adds some extra validation and/or sanitisation to two places:

• Badges (sanitise values for rendering)
• Social websites (yet unused but we don't want to be directing users to
  ftp, custom protocols, etc)

🔗 Linked issue

N/A

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
npmx.dev	Ready	Preview, Comment	Mar 3, 2026 3:40pm

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
docs.npmx.dev	Ignored	Preview	Mar 3, 2026 3:40pm
npmx-lunaria	Ignored		Mar 3, 2026 3:40pm

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between de28051 and 4ecd92a.

📒 Files selected for processing (2)

• server/api/registry/badge/[type]/[...pkg].get.ts
• shared/schemas/social.ts

---

📝 Walkthrough

Walkthrough

This pull request introduces two security and validation enhancements. First, it adds XML escaping functionality to the badge API endpoint to sanitise all user-provided labels and values before embedding them in SVG output across both default and shields-style badge rendering formats. Second, it modifies the profile website field validation to accept only empty strings or URLs starting with http:// or https://, with a runtime check enforcing the URL scheme requirement.

Possibly related PRs

• fix: improve validation and submitting on profile page #1838: Modifies profile website validation by adding runtime URL scheme checks in the profile PUT handler and converting the profile editor to a form, complementing the schema-level validation changes in this PR.

Suggested reviewers

• danielroe

🚥 Pre-merge checks | ✅ 1

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description check	✅ Passed	The pull request description accurately describes the changeset: adding XML sanitisation for badge values and HTTP(s) validation for social website URLs.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch jg/minor-considerably-small-changelings

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}