From db8a2cbd2703f80f869ac3956f4823644538e51e Mon Sep 17 00:00:00 2001
From: Tim Kelty <tim@craftcms.com>
Date: Tue, 4 Feb 2025 22:44:51 -0500
Subject: [PATCH 1/2] Don't allow URLs in username

---
 src/elements/User.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/elements/User.php b/src/elements/User.php
index 6a51c7288c2..0be17407873 100644
--- a/src/elements/User.php
+++ b/src/elements/User.php
@@ -888,7 +888,7 @@ protected function defineRules(): array
         ];
 
         $rules[] = [
-            ['fullName', 'firstName', 'lastName'], function($attribute, $params, Validator $validator) {
+            ['fullName', 'firstName', 'lastName', 'username'], function($attribute, $params, Validator $validator) {
                 if (str_contains($this->$attribute, '://')) {
                     $validator->addError($this, $attribute, Craft::t('app', 'Invalid value “{value}”.'));
                 }

From 2c2d46e9fba8d7da681442ad658c0a4e4f604daa Mon Sep 17 00:00:00 2001
From: brandonkelly <brandon@pixelandtonic.com>
Date: Wed, 5 Feb 2025 12:17:33 -0800
Subject: [PATCH 2/2] Release note

[ci skip]
---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7f4703ca836..206939503c9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Release Notes for Craft CMS 4
 
+## Unreleased
+
+- Fixed a potential phishing attack vector.
+
 ## 4.14.4 - 2025-02-04
 
 - Fixed an error that occurred when accessing the `edit/<elementId>` route for a draft that no longer existed.