fix: avoid userinfo url rewrites

src/Url/UrlTransformer.php

@@ -56,7 +56,7 @@ final class UrlTransformer {
 			$sources
 		);
 
-		return '~(?<![A-Za-z0-9.-])(?:' . implode( '|', $quoted ) . ')(?![A-Za-z0-9.-])~';
+		return '~(?<![A-Za-z0-9.-])(?:' . implode( '|', $quoted ) . ')(?![A-Za-z0-9.@-])~';
 	}
 
 	private function toProtocolRelative( string $url ): string {

tests/Unit/Url/UrlTransformerTest.php

@@ -114,6 +114,23 @@ class UrlTransformerTest extends TestCase {
 		);
 	}
 
+	public function test_it_does_not_rewrite_userinfo_host_lookalikes(): void {
+		$transformer = new UrlTransformer();
+		$mappings    = new UrlMappingCollection(
+			array(
+				new UrlMapping( 'https://example.test', 'https://staging.example.test' ),
+			)
+		);
+
+		self::assertSame(
+			'https://example.test@evil.test/path https://staging.example.test/path',
+			$transformer->transformString(
+				'https://example.test@evil.test/path https://example.test/path',
+				$mappings
+			)
+		);
+	}
+
 	public function test_it_prefers_more_specific_overlapping_mappings(): void {
 		$transformer = new UrlTransformer();
 		$mappings    = new UrlMappingCollection(