mirror of
https://github.com/MHSanaei/3x-ui.git
synced 2026-07-04 20:04:20 +00:00
fb3a1559b2
A support URL saved without a scheme (e.g. "t.me/handle") is served verbatim in the subscription Support-Url header and page data, and client apps resolve it relative to the subscription domain — clicking it lands on "https://panel.example/t.me/handle". Same hazard for the profile URL. Default the scheme to https:// when none is present, both when saving the settings and when reading already-stored values, so existing databases are covered without a migration. Deliberate non-http schemes (tg://, mailto:, tel:) pass through untouched, which is why these two fields don't go through SanitizeHTTPURL's http(s)-only validation. Closes #5738