Potential fix for code scanning alert no. 19: Incomplete URL substring sanitization

[Tanker187]

Potential fix for https://github.com/Tanker187/stagehand/security/code-scanning/19

In general, the fix for incomplete URL substring sanitization is to parse the URL and compare structured components (host, protocol, pathname, etc.) against explicit expectations instead of matching a long URL string with includes. For this example, the goal is just to verify that the page ended up on the exact expected URL. The best fix is to parse currentUrl using the standard URL class, then compare its origin and pathname to the known expected values, or compare against a parsed expectedUrl object. This preserves functionality (a boolean “did we reach the right page?”) while removing the brittle substring check.

Concretely in packages/core/examples/actionable_observe_example.ts, around lines 61–75:

• Replace the if (currentUrl.includes("https://www.apartments.com/...")) block with logic that:
  • Builds a URL object from currentUrl.
  • Builds a URL object from the expected string.
  • Compares origin and pathname (and optionally search if needed) for equality.
• Keep the success and failure console.log messages exactly as they are, changing only the condition.

No new imports are required because URL is available in Node.js and in modern runtimes.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.