fix: Sanitize url missing in editor embeds and widgets

shared/editor/components/Frame.tsx

@@ -5,6 +5,7 @@ import * as React from "react";
 import styled from "styled-components";
 import { Optional } from "utility-types";
 import { s } from "../../styles";
+import { sanitizeUrl } from "../../utils/urls";
 
 type Props = Omit<Optional<HTMLIFrameElement>, "children"> & {
   src?: string;
@@ -81,7 +82,7 @@ class Frame extends React.Component<PropsWithRef> {
             frameBorder="0"
             title="embed"
             loading="lazy"
-            src={src}
+            src={sanitizeUrl(src)}
             referrerPolicy={referrerPolicy}
             allowFullScreen
           />

shared/editor/components/Widget.tsx

@@ -1,6 +1,7 @@
 import * as React from "react";
 import styled, { css, DefaultTheme, ThemeProps } from "styled-components";
 import { s } from "../../styles";
+import { sanitizeUrl } from "../../utils/urls";
 
 type Props = {
   icon: React.ReactNode;
@@ -18,7 +19,7 @@ export default function Widget(props: Props & ThemeProps<DefaultTheme>) {
       className={
         props.isSelected ? "ProseMirror-selectednode widget" : "widget"
       }
-      href={props.href}
+      href={sanitizeUrl(props.href)}
       rel="noreferrer nofollow"
       onMouseDown={props.onMouseDown}
     >