Potential fix for code scanning alert no. 12: DOM text reinterpreted as HTML

xbubbo · github-advanced-security[bot] · web-flow · commit 4f8707e3f7d0 · 2025-12-14T16:43:51.000-05:00
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/src/components/Browser.tsx b/src/components/Browser.tsx
@@ -1,6 +1,6 @@
 import { ChevronLeft, ChevronRight, Home, Lock, Maximize2, Menu, MoreVertical, Plus, RotateCw, Star, X } from "lucide-react";
 import { useEffect, useMemo, useRef, useState } from "react";
-import { actionBarClass, addressInputClass, classNames, closeButtonClass, encodeProxyUrl, formatUrl, getActualUrl, getDefaultUrl, type Tab, tabButtonClass } from "@/lib/tabs";
+import { actionBarClass, addressInputClass, classNames, closeButtonClass, encodeProxyUrl, formatUrl, getActualUrl, getDefaultUrl, type Tab, tabButtonClass, sanitizeUrl } from "@/lib/tabs";
 
 const IconButton = ({ onClick, icon: Icon, className = "", disabled = false, title = "" }: { onClick?: () => void; icon: React.ComponentType<{ className?: string }>; className?: string; disabled?: boolean; title?: string }) => (
   <button
@@ -450,7 +450,7 @@ export default function Browser() {
               iframeRefs.current[tab.id] = el;
             }}
             title={tab.title}
-            src={encodeProxyUrl(tab.url)}
+            src={encodeProxyUrl(sanitizeUrl(tab.url))}
             className={classNames("absolute inset-0 h-full w-full border-0", tab.active ? "block" : "hidden")}
             sandbox="allow-scripts allow-same-origin allow-forms allow-popups allow-popups-to-escape-sandbox"
           />
diff --git a/src/lib/tabs.ts b/src/lib/tabs.ts
@@ -46,6 +46,21 @@ export const getDefaultUrl = () => {
   }
 };
 
+// Only allow 'about:blank' and HTTP(S) URLs. All others are replaced with 'about:blank'.
+export function sanitizeUrl(url: string): string {
+  if (!url || url === "about:blank") return "about:blank";
+  try {
+    // This throws for invalid URLs, so fallback to 'about:blank'
+    const parsed = new URL(url, "https://example.com");
+    if (parsed.protocol === "http:" || parsed.protocol === "https:") {
+      return parsed.href;
+    }
+  } catch {
+    // Malformed URL, fallback
+  }
+  return "about:blank";
+}
+
 export const encodeProxyUrl = (url: string): string => {
   if (!url || url === "about:blank") return "about:blank";
   if (typeof window === "undefined") return url;
