fix(restaurant): #357 후속 — tabling-url validation에 www. 호스트 허용

- Naver/DDG 결과가 www.tabling.co.kr 형태인데 PUT validation에서 거부됨 - bulk-tabling SSE는 validation 없이 통과 — 불일치 해소 - catchtable은 이미 app/www 둘 다 허용 (기존) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-15 21:02:32 +09:00
parent d73947444f
commit 52090057de
2 changed files with 11 additions and 2 deletions
--- a/backend-java/src/main/java/com/tasteby/controller/RestaurantController.java
+++ b/backend-java/src/main/java/com/tasteby/controller/RestaurantController.java
@@ -252,8 +252,11 @@ public class RestaurantController {
        if (r == null) throw new ResponseStatusException(HttpStatus.NOT_FOUND);
        String url = body.get("tabling_url");
        // #290 — javascript:/외부 악성 URL 차단. 빈 문자열은 매핑 해제로 허용.
-        if (url != null && !url.isBlank() && !url.startsWith("https://tabling.co.kr/")) {
-            throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "테이블링 URL은 https://tabling.co.kr/ 만 허용");
+        // Naver/DDG 결과가 www.tabling.co.kr 형태로도 옴.
+        if (url != null && !url.isBlank()
+                && !url.startsWith("https://tabling.co.kr/")
+                && !url.startsWith("https://www.tabling.co.kr/")) {
+            throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "테이블링 URL은 https://(www.)tabling.co.kr/ 만 허용");
        }
        restaurantService.update(id, Map.of("tabling_url", url != null ? url : ""));
        cache.flush();