fix: disable open link button for unsafe link

Signed-off-by: Luka Trovic <luka@nextcloud.com>

Author: luka-nextcloud

src/components/Link/LinkBubbleView.vue

@@ -12,8 +12,9 @@
 			</div>
 			<!-- open link -->
 			<NcButton
-				:title="t('text', 'Open link')"
-				:aria-label="t('text', 'Open link')"
+				:disabled="!isSafeHref"
+				:title="openLinkTitle"
+				:aria-label="openLinkTitle"
 				variant="tertiary"
 				@click="openLink(href)">
 				<template #icon>
@@ -101,6 +102,7 @@ import { useOpenLinkHandler } from '../../composables/useOpenLinkHandler.ts'
 import PreviewOptions from '../Editor/PreviewOptions.vue'
 
 const PROTOCOLS_WITH_PREVIEW = ['http:', 'https:']
+const SAFE_PROTOCOLS = ['http:', 'https:', 'mailto:', 'tel:']
 
 export default {
 	name: 'LinkBubbleView',
@@ -170,6 +172,27 @@ export default {
 				return false
 			}
 		},
+
+		isSafeHref() {
+			try {
+				const url = new URL(this.href, window.location)
+				return !!this.href && SAFE_PROTOCOLS.includes(url.protocol)
+			} catch {
+				return false
+			}
+		},
+
+		openLinkTitle() {
+			if (this.isSafeHref) {
+				return t('text', 'Open link')
+			}
+
+			if (!this.href) {
+				return t('text', 'No link available to open')
+			}
+
+			return t('text', 'Cannot open links with unsafe protocols')
+		},
 	},
 
 	watch: {