From 3387e24aaae919dbcfcbc2ad8ed0a16065e1559c Mon Sep 17 00:00:00 2001
From: Manish Gupta <manish@plane.so>
Date: Thu, 25 Jun 2026 12:26:24 +0530
Subject: [PATCH 1/2] [WEB-7888] fix(security): normalize href before protocol
 check in CustomLinkExtension (GHSA-v2vv-7wq3-8w2j)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The existing startsWith("javascript:") guard in parseHTML() and renderHTML()
is bypassable with a whitespace prefix (e.g. "\tjavascript:alert(1)"). Per the
WHATWG URL spec, browsers strip ASCII Tab/LF/CR from URL strings during parsing,
so the whitespace-prefixed href passes the guard, is rendered into the DOM
verbatim, and executes when clicked (browser strips the tab → javascript: fires).

Add isDangerousHref() helper that strips Tab/LF/CR and leading C0 controls
before the protocol check, replicating the browser's normalization. Replace
both naive startsWith checks in parseHTML() and renderHTML() with this helper.

Add a defence-in-depth guard in clickHandler.ts that rejects
javascript:/data:/vbscript: hrefs before window.open() — link.href is the
browser-resolved URL (whitespace already stripped), so a regex check there
catches any URI that bypasses the parse/render-time guards.

Co-authored-by: Plane AI <noreply@plane.so>
---
 .../core/extensions/custom-link/extension.tsx | Bin 6737 -> 7570 bytes
 .../custom-link/helpers/clickHandler.ts       |   9 +++++++++
 2 files changed, 9 insertions(+)

diff --git a/packages/editor/src/core/extensions/custom-link/extension.tsx b/packages/editor/src/core/extensions/custom-link/extension.tsx
index a00585b88489005d2a452a34055148c67f84ef7e..0b1022642581b6da5070603cff1b2904d44e3799 100644
GIT binary patch
delta 1089
zcmZ{j!EVz)5Qe!RA)gAWkT@~Q1-otRP(VPUBBd#9sv1(Isd8uvSv!-&t+Q)(H*pI^
z;SG=|yZ|o%QlErZ;6-58P12}>lh?C5|IU8@%&*5^N<SB^vFE{hEW%^#KpgR7NTkpr
z6tRNepT0sMMXFFLz!MCI8bS9_Aw=9PAYnaxpg_@<jPxmlf@?g{u0;!_VcoA)c3y70
z^|xQ|yxpzW8nsHz--9(c$Q`i}Q=yEKu`cFTAlG4<Ws6aeg(-SivMg_D$$}-QqaI4G
zK+7TB-OcWnEQP+rE{s@AQFAqm=nR7n<2{sOsAg|*NyO;vqReue)pDb`1^aa$#wx*Z
z<?5YEQ&CXft88yWg9TvkFBb}h=gtcFo0Fe1{V?7!f|dFtw&6fmia{o6BzR9jhoJBt
zL6VBTSq@yv$H+Qnt5Sd`rf_L+dqyzrM;cYaLWBUjLT120g?${L3uWLe8X>gLOAGhL
zZJ=;?43RRK<Ok6(8Nq47lwv`QkVd*sMCMczIuxCNjc(6{cCMvoPUs?wQEL04lWRMM
z7&H+iCUF$9%y_1O3prqM^q%QRjQO-gF_bgZlbY<U>RvfNS{;q@Pt$jg^3T%MqfFGZ
zx<ejPI;XlfrcPC<Dw`ZN-(m)d_naaGLJ%qrA1p8iQ%g+?pl%(n!6bur0bElmakIUH
zmTvKuJoJcpF6RJs_$7Ao)AKhyV_FtSNQLp!)Q}@;Flh^87)s}w>YIZb`TH$(xa>_-
z$5YukH)m!p&oRFg(!v)h$_i6xJ0*(Atf~JqB(4$zwC(9II<WR)?(MG9OfG8GBzv#U
zkm|>aJJz3@=df^h@j6{IE9ajVzE$jM<CS05)T99ov~sf{Vl>5B+d6P|M$}A!U`EaU
Mm(InH+uv{f1>A*bzyJUM

delta 271
zcmbPaebHot2-oJ1ynk8w?Db0Wee%mwi<}dSQ#B^P6&8=oC`wJ!D=tYaDk%=nEXmMN
z%1SItEKV-UEGV&3(p0FaQNU1<l30?6ORg*lrgyT0$kcj|5MLk1l9Hm#q|%bqVm**i
jsBQq;prmBYr2qt(X$l$`wo&399t|aggEoH<S;PSV4S-;i

diff --git a/packages/editor/src/core/extensions/custom-link/helpers/clickHandler.ts b/packages/editor/src/core/extensions/custom-link/helpers/clickHandler.ts
index f101f4c5bd6..63c0c406890 100644
--- a/packages/editor/src/core/extensions/custom-link/helpers/clickHandler.ts
+++ b/packages/editor/src/core/extensions/custom-link/helpers/clickHandler.ts
@@ -40,6 +40,15 @@ export function clickHandler(options: ClickHandlerOptions): Plugin {
         const target = link?.target ?? attrs.target;
 
         if (link && href) {
+          // Defence-in-depth: link.href is the browser-resolved URL (whitespace
+          // already stripped by the browser's WHATWG URL parser), so a protocol
+          // check here is sufficient to catch any javascript:/data:/vbscript: URI
+          // that slipped past the editor's parse/render-time guards
+          // (GHSA-v2vv-7wq3-8w2j).
+          if (/^(javascript|data|vbscript):/i.test(href)) {
+            return false;
+          }
+
           window.open(href, target);
 
           return true;

From d333d2c6d1dee7efd35773b08e20a9c197553809 Mon Sep 17 00:00:00 2001
From: Manish Gupta <manish@plane.so>
Date: Thu, 25 Jun 2026 13:14:08 +0530
Subject: [PATCH 2/2] [WEB-7888] fix: align clickHandler blocked-scheme list
 with isValidHttpUrl policy

Add file: and about: to the clickHandler protocol guard to match the
blocked-scheme contract in isValidHttpUrl, avoiding policy drift.

Co-authored-by: Plane AI <noreply@plane.so>
---
 .../core/extensions/custom-link/helpers/clickHandler.ts  | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/packages/editor/src/core/extensions/custom-link/helpers/clickHandler.ts b/packages/editor/src/core/extensions/custom-link/helpers/clickHandler.ts
index 63c0c406890..98c795cea3d 100644
--- a/packages/editor/src/core/extensions/custom-link/helpers/clickHandler.ts
+++ b/packages/editor/src/core/extensions/custom-link/helpers/clickHandler.ts
@@ -42,10 +42,11 @@ export function clickHandler(options: ClickHandlerOptions): Plugin {
         if (link && href) {
           // Defence-in-depth: link.href is the browser-resolved URL (whitespace
           // already stripped by the browser's WHATWG URL parser), so a protocol
-          // check here is sufficient to catch any javascript:/data:/vbscript: URI
-          // that slipped past the editor's parse/render-time guards
-          // (GHSA-v2vv-7wq3-8w2j).
-          if (/^(javascript|data|vbscript):/i.test(href)) {
+          // check here is sufficient to catch any dangerous URI that slipped past
+          // the editor's parse/render-time guards. Matches the blocked-scheme list
+          // in isValidHttpUrl (javascript:, data:, vbscript:, file:, about:)
+          // to keep the policy consistent (GHSA-v2vv-7wq3-8w2j).
+          if (/^(javascript|data|vbscript|file|about):/i.test(href)) {
             return false;
           }