From c3d33b3f3b4543347b8a8e8d79c281173b3fbb1c Mon Sep 17 00:00:00 2001
From: Tanker187 <yesim100ya@outlook.com>
Date: Wed, 18 Feb 2026 13:56:06 -0500
Subject: [PATCH] Potential fix for code scanning alert no. 21: Incomplete URL
 substring sanitization

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 packages/evals/tasks/agent/trivago.ts | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/packages/evals/tasks/agent/trivago.ts b/packages/evals/tasks/agent/trivago.ts
index 7248a4081..b3adbbbbd 100644
--- a/packages/evals/tasks/agent/trivago.ts
+++ b/packages/evals/tasks/agent/trivago.ts
@@ -19,10 +19,11 @@ export const trivago: EvalFunction = async ({
     logger.log(agentResult);
 
     const url = page.url();
+    const parsedUrl = new URL(url);
 
     if (
-      url.includes("hotel-h10-tribeca-madrid") &&
-      url.includes("trivago.com")
+      parsedUrl.hostname === "www.trivago.com" &&
+      url.includes("hotel-h10-tribeca-madrid")
     ) {
       return {
         _success: true,