From a75d6b298ec50cf0bed599f660ecc4cb8e2d2e1c Mon Sep 17 00:00:00 2001
From: Tom Moor <tom.moor@gmail.com>
Date: Thu, 6 Jul 2023 21:38:02 -0400
Subject: [PATCH] fix: Sanitize url missing in editor embeds and widgets

---
 shared/editor/components/Frame.tsx  | 3 ++-
 shared/editor/components/Widget.tsx | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/shared/editor/components/Frame.tsx b/shared/editor/components/Frame.tsx
index 203204d0a..6ea72703e 100644
--- a/shared/editor/components/Frame.tsx
+++ b/shared/editor/components/Frame.tsx
@@ -5,6 +5,7 @@ import * as React from "react";
 import styled from "styled-components";
 import { Optional } from "utility-types";
 import { s } from "../../styles";
+import { sanitizeUrl } from "../../utils/urls";
 
 type Props = Omit<Optional<HTMLIFrameElement>, "children"> & {
   src?: string;
@@ -81,7 +82,7 @@ class Frame extends React.Component<PropsWithRef> {
             frameBorder="0"
             title="embed"
             loading="lazy"
-            src={src}
+            src={sanitizeUrl(src)}
             referrerPolicy={referrerPolicy}
             allowFullScreen
           />
diff --git a/shared/editor/components/Widget.tsx b/shared/editor/components/Widget.tsx
index c6e4209d7..e21b0e03a 100644
--- a/shared/editor/components/Widget.tsx
+++ b/shared/editor/components/Widget.tsx
@@ -1,6 +1,7 @@
 import * as React from "react";
 import styled, { css, DefaultTheme, ThemeProps } from "styled-components";
 import { s } from "../../styles";
+import { sanitizeUrl } from "../../utils/urls";
 
 type Props = {
   icon: React.ReactNode;
@@ -18,7 +19,7 @@ export default function Widget(props: Props & ThemeProps<DefaultTheme>) {
       className={
         props.isSelected ? "ProseMirror-selectednode widget" : "widget"
       }
-      href={props.href}
+      href={sanitizeUrl(props.href)}
       rel="noreferrer nofollow"
       onMouseDown={props.onMouseDown}
     >