Potential fix for code scanning alert no. 22: Incomplete URL substring sanitization

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: maximiliani

packages/stencil-library/src/rendererModules/SPDXType.tsx

@@ -405,9 +405,15 @@ export class SPDXType extends GenericIdentifierType {
    * Finds the most official-looking URL from a list of URLs
    */
   private findOfficialUrl(urls: string[]): string | undefined {
+    const allowedHosts = ['opensource.org', 'fsf.org', 'gnu.org', 'apache.org', 'creativecommons.org'];
     return urls.find((url: string) => {
-      const lower = url.toLowerCase();
-      return lower.includes('opensource.org') || lower.includes('fsf.org') || lower.includes('gnu.org') || lower.includes('apache.org') || lower.includes('creativecommons.org');
+      try {
+        const parsedUrl = new URL(url);
+        return allowedHosts.includes(parsedUrl.host);
+      } catch {
+        // Ignore invalid URLs
+        return false;
+      }
     });
   }