Potential fix for code scanning alert no. 211: Log entries created from user input

jeffcumpsty-tpx · github-advanced-security[bot] · web-flow · commit cd42e0df74fd · 2026-02-12T04:19:05.000Z
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/OpenReferralApi.Core/Services/SchemaResolverService.cs b/OpenReferralApi.Core/Services/SchemaResolverService.cs
@@ -282,8 +282,18 @@ public static string SanitizeUrlForLogging(string url)
     if (string.IsNullOrEmpty(url))
       return url;
 
-    // Strip control characters (including CR/LF) to prevent log forging
-    var cleaned = new string(url.Where(c => !char.IsControl(c)).ToArray());
+    // Normalize whitespace and strip control characters (including CR/LF) to prevent log forging
+    var trimmed = url.Trim();
+    var cleaned = new string(trimmed.Where(c => !char.IsControl(c)).ToArray());
+
+    // Optionally limit length to avoid log flooding/obfuscation with attacker-controlled data
+    const int maxLength = 2048;
+    if (cleaned.Length > maxLength)
+    {
+      cleaned = cleaned.Substring(0, maxLength) + "...(truncated)";
+    }
+
+    return cleaned;
 
     try
     {
