/**
 * Safely opens a URL in a new tab.
 *
 * Validates the URL before opening it to prevent malicious URLs (e.g.
 * javascript: or data: URIs) from being opened if an API response is
 * ever compromised. Only http: and https: URLs are allowed.
 */
export function safeOpenUrl(url: string): void {
  try {
    const parsed = new URL(url);
    if (parsed.protocol !== 'https:' && parsed.protocol !== 'http:') {
      console.warn(`safeOpenUrl: blocked URL with unexpected protocol "${parsed.protocol}": ${url}`);
      return;
    }
  } catch {
    console.warn(`safeOpenUrl: blocked invalid URL: ${url}`);
    return;
  }
  window.open(url, '_blank', 'noopener,noreferrer');
}