feat: add validateRedirectUrl to enforce variables only in path for routing forms

[KartikLabhshetwar]

What does this PR do?

• Fixes Don't allow variables in query params for custom event redirects (routing forms) #26535
• Fixes CAL-7034

Problem:
Field identifier variables (e.g., {name}) could be used anywhere in routing form redirect URLs, including in query parameters (e.g., kartik/chat?name={name}). This caused confusion since responses are automatically forwarded as query parameters by default, making variables in query params redundant and potentially problematic.

Solution:
Add client-side validation to prevent users from entering field identifier variables in query parameters of custom event redirect URLs. Variables are now only allowed in the URL path segment (e.g., kartik/{name}).

Visual Demo (For contributors especially)

Video Demo (if applicable):

Screen.Recording.2026-01-07.at.5.07.23.PM.mov

Mandatory Tasks (DO NOT REMOVE)

• I have self-reviewed the code (A decent size PR without self-review might be rejected).
• I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. If N/A, write N/A here and check the checkbox.
• I confirm automated tests are in place that prove my fix is effective or that my feature works.

---

Summary by cubic

Blocks using field identifier variables (e.g., {name}) in query parameters for routing form custom event redirects. Variables are now allowed only in the URL path, addressing CAL-7034 and #26535.

• New Features
  • Added validateVariablesNotInQueryParams with unit tests.
  • Enforced validation in RouteBuilder; shows inline error when variables appear in the query string.
  • Updated copy to clarify that responses are auto-forwarded as query params and added a “Learn more” link.

^{Written for commit 859e5d5. Summary will update on new commits.}

[vercel]

@KartikLabhshetwar is attempting to deploy a commit to the cal-staging Team on Vercel.

A member of the Team first needs to authorize it.

[cubic-dev-ai]

2 issues found across 4 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="packages/app-store/routing-forms/lib/validateRedirectUrl.ts">

<violation number="1" location="packages/app-store/routing-forms/lib/validateRedirectUrl.ts:24">
P2: URL fragments (hash portion) are incorrectly included when checking for variables in query parameters. For a URL like `path?param=value#section={name}`, the variable `{name}` is in the fragment, not the query params, but would be flagged as invalid. Consider stripping the fragment before checking the query string.</violation>
</file>

<file name="apps/web/app/(use-page-wrapper)/apps/routing-forms/[...pages]/RouteBuilder.tsx">

<violation number="1" location="apps/web/app/(use-page-wrapper)/apps/routing-forms/[...pages]/RouteBuilder.tsx:785">
P2: Validation error doesn't prevent the route from being updated. The `setRoute` call executes regardless of validation result, allowing invalid URLs to be saved. Consider returning early when validation fails, or at minimum disabling the form submission when `customUrlValidationError` is set.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[zaidkhanvmi]

@KartikLabhshetwar Heyy man i wanted to work on this issue but you did give us chance please you are already a pro contributer
btw Congrats to you