From c3ddc03df0cb14e1fa97cec9cb1f53b58b237663 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 25 Mar 2026 17:33:27 +0000
Subject: [PATCH 1/2] Initial plan


From e49c87a4c0c5f1d3e563b18394ac172809a1b76e Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 25 Mar 2026 17:35:12 +0000
Subject: [PATCH 2/2] Fix unsafe URL launch in attaches_renderer.dart: use
 Uri.tryParse, restrict to http/https, check canLaunchUrl

Co-authored-by: RZEROSTERN <3065243+RZEROSTERN@users.noreply.github.com>
Agent-Logs-Url: https://github.com/RZEROSTERN/editorjs-flutter/sessions/97759922-db09-4059-af45-b959591f6f85
---
 .../blocks/attaches/attaches_renderer.dart            | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/lib/src/presentation/blocks/attaches/attaches_renderer.dart b/lib/src/presentation/blocks/attaches/attaches_renderer.dart
index 861fa9b..29467aa 100644
--- a/lib/src/presentation/blocks/attaches/attaches_renderer.dart
+++ b/lib/src/presentation/blocks/attaches/attaches_renderer.dart
@@ -16,8 +16,15 @@ class AttachesRenderer extends BlockRenderer<AttachesBlock> {
 
     return InkWell(
       onTap: block.url.isNotEmpty
-          ? () => launchUrl(Uri.parse(block.url),
-              mode: LaunchMode.externalApplication)
+          ? () async {
+              final uri = Uri.tryParse(block.url);
+              if (uri == null) return;
+              final scheme = uri.scheme.toLowerCase();
+              if (scheme != 'http' && scheme != 'https') return;
+              if (await canLaunchUrl(uri)) {
+                await launchUrl(uri, mode: LaunchMode.externalApplication);
+              }
+            }
           : null,
       borderRadius: BorderRadius.circular(8),
       child: Container(