fix: avoid userinfo url rewrites

tests/Unit/Url/UrlTransformerTest.php

@@ -114,6 +114,23 @@ class UrlTransformerTest extends TestCase {
 		);
 	}
 
+	public function test_it_does_not_rewrite_userinfo_host_lookalikes(): void {
+		$transformer = new UrlTransformer();
+		$mappings    = new UrlMappingCollection(
+			array(
+				new UrlMapping( 'https://example.test', 'https://staging.example.test' ),
+			)
+		);
+
+		self::assertSame(
+			'https://example.test@evil.test/path https://staging.example.test/path',
+			$transformer->transformString(
+				'https://example.test@evil.test/path https://example.test/path',
+				$mappings
+			)
+		);
+	}
+
 	public function test_it_prefers_more_specific_overlapping_mappings(): void {
 		$transformer = new UrlTransformer();
 		$mappings    = new UrlMappingCollection(