Potential fix for code scanning alert no. 2: DOM text reinterpreted as HTML

[ajm19826]

Potential fix for https://github.com/ajm19826/ProxyTest/security/code-scanning/2

In general, the fix is to validate and constrain user-controlled URLs before using them in security-sensitive contexts such as href. Specifically, only allow a whitelist of safe schemes (e.g., http: and https:), and reject or ignore anything else. This ensures that even if a user types javascript:alert(1), that value will never end up in activeTab.url and thus never in the href.

The best minimal fix here is to tighten the URL handling in addNewTab (and optionally the initial url query param) so that only http and https URLs can produce a ProxyTab. We can do this without changing existing functionality for legitimate URLs: we still normalize inputs that don’t start with http by prefixing https://, parse with new URL, and then add a scheme check that returns early if the protocol is not http: or https:. Because activeTab.url is always taken from the ProxyTab.url field, this single validation point ensures that the href={activeTab.url} sink only ever receives safe values.

Concretely:

• In addNewTab, after const fullUrl = ... and new URL(fullUrl);, add a protocol check like if (!/^https?:$/i.test(parsed.protocol)) return;.
• Do the same in the useEffect that handles the url search parameter, since that also flows into a ProxyTab.
• No new imports are needed; we can use the built-in URL class that is already in use.

These changes are all within client/pages/Proxy.tsx and only touch the URL creation logic, leaving rendering, tab management, and UI behaviour unchanged for valid http/https URLs.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.