From 38c39770790416f7673e0471b19060d680f0c6db Mon Sep 17 00:00:00 2001
From: Steven  Jaime <143671152+Stivenjs@users.noreply.github.com>
Date: Mon, 16 Feb 2026 13:32:03 -0500
Subject: [PATCH] Potential fix for code scanning alert no. 124: Incomplete URL
 substring sanitization

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .../src/components/DevAutoReloadScript.tsx      | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/src/app/[store]/src/components/DevAutoReloadScript.tsx b/src/app/[store]/src/components/DevAutoReloadScript.tsx
index 1e39cbe0..31a5fc09 100644
--- a/src/app/[store]/src/components/DevAutoReloadScript.tsx
+++ b/src/app/[store]/src/components/DevAutoReloadScript.tsx
@@ -38,11 +38,22 @@ export default function DevAutoReloadScript() {
       links.forEach((oldLink) => {
         if (!oldLink.href) return;
 
+        let parsedUrl: URL;
+        try {
+          parsedUrl = new URL(oldLink.href, window.location.origin);
+        } catch {
+          // Si la URL no es válida, no intentar hacer hot-swap.
+          return;
+        }
+
+        const hostname = parsedUrl.hostname;
+        const pathname = parsedUrl.pathname;
+
         // Ignorar CSS externos (Google Fonts, CDNs, etc.)
         if (
-          oldLink.href.includes('fonts.googleapis.com') ||
-          oldLink.href.includes('fonts.gstatic.com') ||
-          !oldLink.href.includes('/stores/')
+          hostname === 'fonts.googleapis.com' ||
+          hostname === 'fonts.gstatic.com' ||
+          !pathname.includes('/stores/')
         ) {
           return;
         }