From b5ab9ca839f4016c667714d76b51c5832e3bb6cf Mon Sep 17 00:00:00 2001 From: Gandalf Date: Tue, 23 Dec 2025 15:53:22 +0100 Subject: [PATCH] fix: Validate external URLs before rendering as links Add isSafeExternalUrl utility to validate that URLs use http/https protocol before rendering them as clickable links. This prevents potentially malicious URL schemes from being used in href attributes. Applied to Twitter profile links from third-party API responses. --- .../layouts/user-profile/profile-layout.tsx | 4 ++-- packages/ui/lib/css-utils.ts | 14 ++++++++++++++ 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/apps/blog/features/layouts/user-profile/profile-layout.tsx b/apps/blog/features/layouts/user-profile/profile-layout.tsx index c06377285..40f578fb9 100644 --- a/apps/blog/features/layouts/user-profile/profile-layout.tsx +++ b/apps/blog/features/layouts/user-profile/profile-layout.tsx @@ -8,7 +8,7 @@ import { useQuery } from '@tanstack/react-query'; import env from '@beam-australia/react-env'; import { useTranslation } from '@/blog/i18n/client'; -import { Avatar, AvatarFallback, AvatarImage, proxifyImageSrc, getUserAvatarUrl, escapeCssUrl, isSafeImageUrl } from '@ui/components'; +import { Avatar, AvatarFallback, AvatarImage, proxifyImageSrc, getUserAvatarUrl, escapeCssUrl, isSafeImageUrl, isSafeExternalUrl } from '@ui/components'; import { Separator } from '@hive/ui/components/separator'; import TimeAgo from '@ui/components/time-ago'; import { Icons } from '@hive/ui/components/icons'; @@ -172,7 +172,7 @@ const ProfileLayout = ({ children }: { children: ReactNode }) => { /> ) : null} - {twitterData ? ( + {twitterData && isSafeExternalUrl(twitterData.twitter_profile) ? (