From bc5e16e3b8f1dbe460d33e3a40fe979ca29f3df3 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Wed, 27 May 2026 14:42:09 +0000
Subject: [PATCH 1/2] fix: prevent XSS via javascript: URLs in WebFetchToolCall
 href

The web_fetch tool call component rendered args.url directly into an
<a href=...> without protocol validation. Since Zod's z.string().url()
accepts javascript: URLs, a prompt-injected tool call could produce a
clickable link that executes arbitrary JS in the renderer.

Add isSafeHref() that allowlists http:/https: protocols. Non-safe URLs
render as plain text instead of clickable links.

https://claude.ai/code/session_015vY8c55jcKPoPNKm2264uC
---
 .../features/Tools/WebFetchToolCall.tsx       | 32 ++++++++++++++-----
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/src/browser/features/Tools/WebFetchToolCall.tsx b/src/browser/features/Tools/WebFetchToolCall.tsx
index 3727b9b392..ec5b42c826 100644
--- a/src/browser/features/Tools/WebFetchToolCall.tsx
+++ b/src/browser/features/Tools/WebFetchToolCall.tsx
@@ -35,6 +35,18 @@ interface NormalizedResult {
   error?: string;
 }
 
+/**
+ * Only allow http/https URLs as clickable hrefs to prevent javascript: XSS.
+ */
+function isSafeHref(url: string): boolean {
+  try {
+    const protocol = new URL(url).protocol;
+    return protocol === "http:" || protocol === "https:";
+  } catch {
+    return false;
+  }
+}
+
 /**
  * Extract domain from URL for compact display
  */
@@ -144,14 +156,18 @@ export const WebFetchToolCall: React.FC<WebFetchToolCallProps> = ({
             <div className="bg-code-bg flex flex-wrap gap-4 rounded px-2 py-1.5 text-[11px] leading-[1.4]">
               <div className="flex min-w-0 gap-1.5">
                 <span className="text-secondary font-medium">URL:</span>
-                <a
-                  href={args.url}
-                  target="_blank"
-                  rel="noopener noreferrer"
-                  className="text-link font-monospace truncate hover:underline"
-                >
-                  {args.url}
-                </a>
+                {isSafeHref(args.url) ? (
+                  <a
+                    href={args.url}
+                    target="_blank"
+                    rel="noopener noreferrer"
+                    className="text-link font-monospace truncate hover:underline"
+                  >
+                    {args.url}
+                  </a>
+                ) : (
+                  <span className="font-monospace truncate">{args.url}</span>
+                )}
               </div>
               {normalized?.success && normalized.title && (
                 <div className="flex min-w-0 gap-1.5">

From 62ae660b8e501626e30b456f7cde65884ed16a1d Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Wed, 27 May 2026 18:56:17 +0000
Subject: [PATCH 2/2] fix: broaden isSafeHref comment to reflect full scope of
 blocked schemes

Address coder-agents-review nit: the comment was too narrow (only
mentioned javascript:), but the function blocks all non-http(s) schemes.

https://claude.ai/code/session_015vY8c55jcKPoPNKm2264uC
---
 src/browser/features/Tools/WebFetchToolCall.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/browser/features/Tools/WebFetchToolCall.tsx b/src/browser/features/Tools/WebFetchToolCall.tsx
index ec5b42c826..76805172fd 100644
--- a/src/browser/features/Tools/WebFetchToolCall.tsx
+++ b/src/browser/features/Tools/WebFetchToolCall.tsx
@@ -36,7 +36,7 @@ interface NormalizedResult {
 }
 
 /**
- * Only allow http/https URLs as clickable hrefs to prevent javascript: XSS.
+ * Allowlist http/https for clickable hrefs. Blocks javascript:, data:, vbscript:, etc.
  */
 function isSafeHref(url: string): boolean {
   try {