Merge pull request #3 from ajm19826/alert-autofix-2

Potential fix for code scanning alert no. 2: DOM text reinterpreted as HTML

Author: ajm19826

client/pages/Proxy.tsx

@@ -36,13 +36,17 @@ export default function Proxy() {
         const fullUrl = urlParam.startsWith("http")
           ? urlParam
           : `https://${urlParam}`;
-        new URL(fullUrl);
+        const parsed = new URL(fullUrl);
+        if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+          navigate("/");
+          return;
+        }
 
         const tabId = generateTabId();
         const newTab: ProxyTab = {
           id: tabId,
-          url: fullUrl,
-          domain: getDomain(fullUrl),
+          url: parsed.toString(),
+          domain: getDomain(parsed.toString()),
           content: "",
           loading: true,
           error: "",
@@ -159,13 +163,17 @@ export default function Proxy() {
       const fullUrl = urlInput.startsWith("http")
         ? urlInput
         : `https://${urlInput}`;
-      new URL(fullUrl);
+      const parsed = new URL(fullUrl);
+      if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+        // Disallow potentially dangerous schemes like javascript:, data:, etc.
+        return;
+      }
 
       const tabId = generateTabId();
       const newTab: ProxyTab = {
         id: tabId,
-        url: fullUrl,
-        domain: getDomain(fullUrl),
+        url: parsed.toString(),
+        domain: getDomain(parsed.toString()),
         content: "",
         loading: true,
         error: "",