From 397e78fec62ca4dbc39636eff932ee0e9e401668 Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Tue, 7 Apr 2026 16:32:28 +0000
Subject: [PATCH] fix potential vuln

---
 static/static/rest_framework/js/coreapi-0.1.1.js | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/static/static/rest_framework/js/coreapi-0.1.1.js b/static/static/rest_framework/js/coreapi-0.1.1.js
index 3c5a2be29..c1de08437 100644
--- a/static/static/rest_framework/js/coreapi-0.1.1.js
+++ b/static/static/rest_framework/js/coreapi-0.1.1.js
@@ -1310,6 +1310,17 @@ URL.prototype.toString = function toString(stringify) {
     result += url.username;
     if (url.password) result += ':'+ url.password;
     result += '@';
+  } else if (
+    url.protocol !== 'file:' &&
+    isSpecial(url.protocol) &&
+    !url.host &&
+    url.pathname !== '/'
+  ) {
+    //
+    // Add back the empty userinfo, otherwise the original invalid URL
+    // might be transformed into a valid one with `url.pathname` as host.
+    //
+    result += '@';
   }
 
   result += url.host + url.pathname;