Guard isHrefExternal against non-web protocols

akabiru · claude · akabiru · commit 7d6e8eee7e16 · 2026-04-08T21:47:03.000+03:00
isHrefExternal treated mailto:, tel:, and javascript: URLs as external
because new URL() yields origin "null" for non-web protocols, which
never matches window.location.origin. This meant the a11y decoration
plugin would incorrectly add the "opens in new tab" hint to non-web
links.

Add an explicit protocol check so only http/https URLs are considered
external. This mirrors the existing guard in isExternalLinkCandidate
but applies at the lower level so all callers are safe.

Co-authored-by: Claude &lt;noreply@anthropic.com&gt;
diff --git a/frontend/src/stimulus/helpers/external-link-helpers.ts b/frontend/src/stimulus/helpers/external-link-helpers.ts
@@ -45,10 +45,15 @@ export function isLinkBlank(link:HTMLAnchorElement) {
  * Returns true when the given href string points to a different origin than
  * the current page. Works with plain URL strings (e.g. from ProseMirror mark
  * attrs) where no HTMLAnchorElement is available.
+ *
+ * Only considers http/https URLs — non-web protocols (mailto:, tel:,
+ * javascript:, etc.) return false because they don't navigate to an
+ * external origin.
  */
 export function isHrefExternal(href:string):boolean {
   try {
     const linkUrl = new URL(href, window.location.origin);
+    if (!linkUrl.protocol.startsWith('http')) return false;
     return linkUrl.origin !== window.location.origin;
   } catch {
     return false;
