Skip to content

Fix unsafe URL launch in AttachesRenderer#21

Merged
RZEROSTERN merged 2 commits intofeat/phase-2-viewer-completeness-part-2from
copilot/sub-pr-20
Mar 25, 2026
Merged

Fix unsafe URL launch in AttachesRenderer#21
RZEROSTERN merged 2 commits intofeat/phase-2-viewer-completeness-part-2from
copilot/sub-pr-20

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 25, 2026
edited
Loading

AttachesRenderer was calling Uri.parse (throws on malformed input) and passing the result directly to launchUrl with no scheme validation, allowing arbitrary URI schemes from document data.

Changes

  • attaches_renderer.dart: Replace unsafe one-liner with the safe async pattern already established in EmbedRenderer and LinkToolRenderer:
    • Uri.tryParse instead of Uri.parse — returns null on malformed input rather than throwing
    • Scheme allowlist (http/https only) — blocks javascript:, file:, etc.
    • canLaunchUrl pre-check before invoking launchUrl
// Before
() => launchUrl(Uri.parse(block.url), mode: LaunchMode.externalApplication)

// After
() async {
  final uri = Uri.tryParse(block.url);
  if (uri == null) return;
  final scheme = uri.scheme.toLowerCase();
  if (scheme != 'http' && scheme != 'https') return;
  if (await canLaunchUrl(uri)) {
    await launchUrl(uri, mode: LaunchMode.externalApplication);
  }
}

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

Copilot AI mentioned this pull request Mar 25, 2026
Merged
21 tasks
@RZEROSTERN
Fix unsafe URL launch in attaches_renderer.dart: use Uri.tryParse, re…
e49c87a 
…strict to http/https, check canLaunchUrl

Co-authored-by: RZEROSTERN <3065243+RZEROSTERN@users.noreply.github.com>
Agent-Logs-Url: https://github.com/RZEROSTERN/editorjs-flutter/sessions/97759922-db09-4059-af45-b959591f6f85
Copilot AI changed the title [WIP] [WIP] Address feedback on viewer completeness read-only block types Fix unsafe URL launch in AttachesRenderer Mar 25, 2026
Copilot AI requested a review from RZEROSTERN March 25, 2026 17:36
@RZEROSTERN RZEROSTERN marked this pull request as ready for review March 25, 2026 17:38
@RZEROSTERN RZEROSTERN merged commit 6f56057 into feat/phase-2-viewer-completeness-part-2 Mar 25, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RZEROSTERN RZEROSTERN Awaiting requested review from RZEROSTERN

Assignees

@RZEROSTERN RZEROSTERN

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@RZEROSTERN