apply security audit

frontend/src/utils/safeOpenUrl.ts

@@ -0,0 +1,20 @@
+/**
+ * Safely opens a URL in a new tab.
+ *
+ * Validates the URL before opening it to prevent malicious URLs (e.g.
+ * javascript: or data: URIs) from being opened if an API response is
+ * ever compromised. Only http: and https: URLs are allowed.
+ */
+export function safeOpenUrl(url: string): void {
+  try {
+    const parsed = new URL(url);
+    if (parsed.protocol !== 'https:' && parsed.protocol !== 'http:') {
+      console.warn(`safeOpenUrl: blocked URL with unexpected protocol "${parsed.protocol}": ${url}`);
+      return;
+    }
+  } catch {
+    console.warn(`safeOpenUrl: blocked invalid URL: ${url}`);
+    return;
+  }
+  window.open(url, '_blank', 'noopener,noreferrer');
+}