Fix sanitize URLs to prevent stored XSS in website

website/src/components/layout/site/header.tsx

@@ -28,6 +28,7 @@
   MAX_CONTENT_WIDTH,
   THEME_COLORS,
 } from "@/style";
+import { sanitizeImageSrc } from "@/utils/url-helpers";
 
 // Icons
 import AngleLeftIconSvg from "@/images/icons/angle-left.svg";
@@ -487,7 +488,7 @@
                 {latestBlogPost.featuredImage && (
                   <TeaserImage>
                     <img
-                      src={latestBlogPost.featuredImage}
+                      src={sanitizeImageSrc(latestBlogPost.featuredImage)}
                       alt={latestBlogPost.title}
                       width={320}
                       height={180}

website/src/components/misc/link.tsx

@@ -1,5 +1,6 @@
 import NextLink from "next/link";
 import React, { FC } from "react";
+import { sanitizeUrl } from "@/utils/url-helpers";
 
 export const Link: FC<{
   className?: string;
@@ -9,25 +10,26 @@
   prefetch?: false;
   children?: React.ReactNode;
 }> = ({ to, prefetch, children, ...rest }) => {
-  const isHash = to.startsWith("#");
-  const internal = isHash || /^\/(?!\/)/.test(to);
+  const safeUrl = sanitizeUrl(to);
+  const isHash = safeUrl.startsWith("#");
+  const internal = isHash || /^\/(?!\/)/.test(safeUrl);
 
   return isHash ? (
-    <a href={to} {...rest}>
+    <a href={safeUrl} {...rest}>
       {children}
     </a>
   ) : internal ? (
     prefetch === false ? (
-      <a href={to} {...rest}>
+      <a href={safeUrl} {...rest}>
         {children}
       </a>
     ) : (
-      <NextLink href={to} {...rest}>
+      <NextLink href={safeUrl} {...rest}>
         {children}
       </NextLink>
     )
   ) : (
-    <a href={to} target="_blank" rel="noopener noreferrer" {...rest}>
+    <a href={safeUrl} target="_blank" rel="noopener noreferrer" {...rest}>
       {children}
     </a>
   );

website/src/utils/url-helpers.ts

@@ -2,6 +2,66 @@
  * Utility functions for working with URL parameters
  */
 
+const SAFE_URL_PROTOCOLS = new Set(["http:", "https:", "mailto:", "tel:"]);
+
+const SAFE_IMG_PROTOCOLS = new Set(["http:", "https:"]);
+
+/**
+ * Sanitizes a URL to prevent XSS via dangerous protocols such as
+ * `javascript:` or `data:`. Returns the original URL when the protocol
+ * is safe, or "about:blank" otherwise.  Relative and hash-only URLs are
+ * always allowed.
+ */
+export function sanitizeUrl(url: string): string {
+  const trimmed = url.trim();
+
+  // Relative paths and hash links are safe.
+  if (
+    trimmed === "" ||
+    trimmed.startsWith("/") ||
+    trimmed.startsWith("#") ||
+    trimmed.startsWith("?")
+  ) {
+    return trimmed;
+  }
+
+  try {
+    const parsed = new URL(trimmed, "http://placeholder.invalid");
+
+    if (SAFE_URL_PROTOCOLS.has(parsed.protocol)) {
+      return trimmed;
+    }
+  } catch {
+    // Malformed URL — reject.
+  }
+
+  return "about:blank";
+}
+
+/**
+ * Sanitizes an image `src` value, allowing only http(s) and relative
+ * paths.  Returns an empty string for anything else.
+ */
+export function sanitizeImageSrc(src: string): string {
+  const trimmed = src.trim();
+
+  if (trimmed === "" || trimmed.startsWith("/")) {
+    return trimmed;
+  }
+
+  try {
+    const parsed = new URL(trimmed, "http://placeholder.invalid");
+
+    if (SAFE_IMG_PROTOCOLS.has(parsed.protocol)) {
+      return trimmed;
+    }
+  } catch {
+    // Malformed URL — reject.
+  }
+
+  return "";
+}
+
 /**
  * Gets a query parameter value from the current URL
  * @param paramName - The name of the parameter to retrieve