fix (v4) : adds strict validation to httpUrl() (#5672)

* checkpoint

* refactored to make it robust

* refactor: use shared httpProtocol regex constant instead of regex-inspecting regex source

- Move /^https?$/ to regexes.httpProtocol shared constant
- Compare def.protocol.source exactly against the constant
- Only enforce :// check when normalize is off

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: Colin McDonnell <colinmcd94@gmail.com>
Co-authored-by: Cursor <cursoragent@cursor.com>

Author: 3 people

packages/zod/src/v4/classic/schemas.ts

@@ -516,7 +516,7 @@ export function url(params?: string | core.$ZodURLParams): ZodURL {
 
 export function httpUrl(params?: string | Omit<core.$ZodURLParams, "protocol" | "hostname">): ZodURL {
   return core._url(ZodURL, {
-    protocol: /^https?$/,
+    protocol: core.regexes.httpProtocol,
     hostname: core.regexes.domain,
     ...util.normalizeParams(params),
   });

packages/zod/src/v4/classic/tests/string.test.ts

@@ -454,6 +454,12 @@ test("httpurl", () => {
   ).toThrow();
   expect(() => httpUrl.parse("http://asdf.c")).toThrow();
   expect(() => httpUrl.parse("mailto:asdf@lckj.com")).toThrow();
+  // missing // after protocol
+  expect(() => httpUrl.parse("http:example.com")).toThrow();
+  expect(() => httpUrl.parse("https:example.com")).toThrow();
+  // missing one /
+  expect(() => httpUrl.parse("https:/www.google.com")).toThrow();
+  expect(() => httpUrl.parse("http:/example.com")).toThrow();
 });
 
 test("url error overrides", () => {

packages/zod/src/v4/core/regexes.ts

@@ -81,6 +81,8 @@ export const hostname: RegExp =
 
 export const domain: RegExp = /^([a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$/;
 
+export const httpProtocol: RegExp = /^https?$/;
+
 // https://blog.stevenlevithan.com/archives/validate-phone-number#r4-3 (regex sans spaces)
 // E.164: leading digit must be 1-9; total digits (excluding '+') between 7-15
 export const e164: RegExp = /^\+[1-9]\d{6,14}$/;

packages/zod/src/v4/core/schemas.ts

@@ -478,6 +478,23 @@ export const $ZodURL: core.$constructor<$ZodURL> = /*@__PURE__*/ core.$construct
     try {
       // Trim whitespace from input
       const trimmed = payload.value.trim();
+
+      // When normalize is off, require :// for http/https URLs
+      // This prevents strings like "http:example.com" or "https:/path" from being silently accepted
+      if (!def.normalize && def.protocol?.source === regexes.httpProtocol.source) {
+        if (!/^https?:\/\//i.test(trimmed)) {
+          payload.issues.push({
+            code: "invalid_format",
+            format: "url",
+            note: "Invalid URL format",
+            input: payload.value,
+            inst,
+            continue: !def.abort,
+          });
+          return;
+        }
+      }
+
       // @ts-ignore
       const url = new URL(trimmed);
 

packages/zod/src/v4/mini/schemas.ts

@@ -200,7 +200,7 @@ export function url(params?: string | core.$ZodURLParams): ZodMiniURL {
 // @__NO_SIDE_EFFECTS__
 export function httpUrl(params?: string | Omit<core.$ZodURLParams, "protocol" | "hostname">): ZodMiniURL {
   return core._url(ZodMiniURL, {
-    protocol: /^https?$/,
+    protocol: core.regexes.httpProtocol,
     hostname: core.regexes.domain,
     ...util.normalizeParams(params),
   });