fix: url santization

Author: TheDThompsonDev

package-lock.json

@@ -15,7 +15,7 @@
   },
   "dependencies": {
     "@tanstack/react-query": "^5.54.1",
-    "@vercel/blob": "^1.1.1",
+    "@vercel/blob": "^2.0.1",
     "appwrite": "^15.0.0",
     "dotenv": "^17.2.1",
     "next": "^16.1.6",

package.json

@@ -1,7 +1,15 @@
+/**
+ * Custom Next.js server for local development only.
+ *
+ * SECURITY NOTE: This uses HTTP (not HTTPS) which is acceptable for localhost development.
+ * In production, this file is NOT used - Vercel handles HTTPS termination automatically.
+ * Do not use this server in production environments.
+ */
 const { createServer } = require('http');
 const { parse } = require('url');
 const next = require('next');
 
+// This server is for LOCAL DEVELOPMENT ONLY - Vercel handles production
 const dev = process.env.NODE_ENV !== 'production';
 const hostname = 'localhost';
 const port = 3000;

server.js

@@ -5,6 +5,7 @@ import { Speaker } from '@/types';
 import styles from './speakersList.module.css';
 import Image from 'next/image';
 import { LABELS } from '@/app/labels';
+import { sanitizeExternalUrl } from '@/utils/urlSanitizer';
 
 interface SpeakersListProps {
   selectedTopic?: string | null;
@@ -153,9 +154,9 @@ export default function SpeakersList({ selectedTopic }: SpeakersListProps) {
                       {formatDate(speaker.lastSpoke)}
                     </p>
                   )}
-                  {speaker.linkedin && (
+                  {sanitizeExternalUrl(speaker.linkedin) && (
                     <a
-                      href={speaker.linkedin}
+                      href={sanitizeExternalUrl(speaker.linkedin)!}
                       target='_blank'
                       rel='noopener noreferrer'
                       className={styles.linkedinLink}

src/components/speakersList/speakersList.tsx

@@ -5,6 +5,7 @@ import { Speaker } from '@/types';
 import OptimizedImage from '@/components/ui/OptimizedImage';
 import styles from './teamList.module.css';
 import { LABELS } from '@/app/labels';
+import { sanitizeExternalUrl } from '@/utils/urlSanitizer';
 
 function TeamListComponent({ peopleData }: { peopleData: Speaker[] }) {
   return (
@@ -35,9 +36,9 @@ function TeamListComponent({ peopleData }: { peopleData: Speaker[] }) {
                     {LABELS.teamList.admin_role}
                   </p>
                   <p className={styles.teamCompany}>{LABELS.app.orgName}</p>
-                  {person.linkedin && (
+                  {sanitizeExternalUrl(person.linkedin) && (
                     <a
-                      href={person.linkedin}
+                      href={sanitizeExternalUrl(person.linkedin)!}
                       target='_blank'
                       rel='noopener noreferrer'
                       className={styles.linkedinLink}

src/components/teamList/teamList.tsx

@@ -0,0 +1,19 @@
+/**
+ * Sanitize a generic external URL.
+ * Only allows HTTPS URLs to prevent javascript: and data: XSS attacks.
+ *
+ * @param url - The URL to sanitize
+ * @returns The sanitized URL if valid, null otherwise
+ */
+export function sanitizeExternalUrl(url: string | undefined): string | null {
+  if (!url) return null;
+  try {
+    const parsed = new URL(url);
+    if (parsed.protocol === 'https:') {
+      return parsed.href;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}