From 426cae780b5ffedac427a8430c81910b046859d8 Mon Sep 17 00:00:00 2001 From: Nick Perez Date: Thu, 21 May 2026 08:48:17 +0200 Subject: [PATCH 1/2] fix: incomplete URL scheme check Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- packages/react/src/util/sanitizeUrl.ts | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/packages/react/src/util/sanitizeUrl.ts b/packages/react/src/util/sanitizeUrl.ts index 08282055ee..4be92ce115 100644 --- a/packages/react/src/util/sanitizeUrl.ts +++ b/packages/react/src/util/sanitizeUrl.ts @@ -9,7 +9,11 @@ export function sanitizeUrl(inputUrl: string, baseUrl: string): string { const url = new URL(inputUrl, baseUrl); // eslint-disable-next-line no-script-url -- false positive, we are explicitly checking if the protocol is safe to prevent XSS - if (url.protocol !== "javascript:") { + if ( + url.protocol !== "javascript:" && + url.protocol !== "data:" && + url.protocol !== "vbscript:" + ) { return url.href; } } catch (error) { From b048326e2b587e2c4f6a5158d6c65197ac4a72e6 Mon Sep 17 00:00:00 2001 From: Nick the Sick Date: Thu, 21 May 2026 08:54:19 +0200 Subject: [PATCH 2/2] fix: move eslint-disable-next-line to cover javascript: string literal The multi-line if condition moved the 'javascript:' string to a line no longer covered by the eslint-disable-next-line directive. Move the comment inside the if condition so it correctly suppresses no-script-url on the line containing the string literal. --- packages/react/src/util/sanitizeUrl.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/react/src/util/sanitizeUrl.ts b/packages/react/src/util/sanitizeUrl.ts index 4be92ce115..98d7f0e9e7 100644 --- a/packages/react/src/util/sanitizeUrl.ts +++ b/packages/react/src/util/sanitizeUrl.ts @@ -8,8 +8,8 @@ export function sanitizeUrl(inputUrl: string, baseUrl: string): string { try { const url = new URL(inputUrl, baseUrl); - // eslint-disable-next-line no-script-url -- false positive, we are explicitly checking if the protocol is safe to prevent XSS if ( + // eslint-disable-next-line no-script-url -- false positive, we are explicitly checking if the protocol is safe to prevent XSS url.protocol !== "javascript:" && url.protocol !== "data:" && url.protocol !== "vbscript:"