Skip to content

fix(CardHorizontal): 🐛 Security URL validation#1000

Open
punkbit wants to merge 7 commits into
mainfrom
fix/card-horizontal-security-url-validation
Open

fix(CardHorizontal): 🐛 Security URL validation#1000
punkbit wants to merge 7 commits into
mainfrom
fix/card-horizontal-security-url-validation

Conversation

@punkbit
Copy link
Copy Markdown
Contributor

@punkbit punkbit commented Apr 15, 2026

Why?

Improved how the CardHorizontal component handles external links to keep end-users safe.

How?

  • Link validation, e.g. introduced an utility function
  • Safer tab opening, e.g. use MDN recommended approach

Tickets?

N/A

Contribution checklist?

  • You've done enough research before writing
  • You have reviewed the PR
  • The commit messages are detailed
  • The build command runs locally
  • Assets or static content are linked and stored in the project
  • For documentation, guides or references, you've tested the commands

Security checklist?

  • All user inputs are validated and sanitized
  • No usage of dangerouslySetInnerHTML
  • Sensitive data has been identified and is being protected properly
  • Build output contains no secrets or API keys

Preview?

N/A

punkbit added 5 commits April 15, 2026 15:24
@punkbit
fix: 🐛 Add URL validation and noopener to CardHorizontal
e8cf596 
- Validate infoUrl starts with http:// or https:// to prevent javascript: URI attacks
- Add noopener,noreferrer to window.open for security
@punkbit
chore: 🤖 Add changeset for CardHorizontal security fix
37d7637
@punkbit
chore: 🤖 update changeset
89f1c4f
@punkbit
refactor: 💡 Use URL API for validation in CardHorizontal
e0d111f 
- Replace regex with native URL API for more robust validation
- Export isValidHttpUrl utility function
- Add unit tests for URL validation
@punkbit
chore: 🤖 Add MDN reference to CardHorizontal security changeset
433f19d
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Apr 15, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 0b97e30

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@clickhouse/click-ui Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@ClickHouse ClickHouse deleted a comment from github-actions Bot Apr 15, 2026
@ClickHouse ClickHouse deleted a comment from github-actions Bot Apr 15, 2026
@workflow-authentication-public
Copy link
Copy Markdown
Contributor

workflow-authentication-public Bot commented Apr 15, 2026

📚 Storybook Preview Deployed

✅ Preview URL: https://click-7z8wvwydc-clickhouse.vercel.app

Built from commit: 03156619e96fb9da307724d7e9860b0845926d49

@ClickHouse ClickHouse deleted a comment from github-actions Bot Apr 15, 2026
@punkbit punkbit mentioned this pull request Apr 15, 2026
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hoorayimhelping hoorayimhelping Awaiting requested review from hoorayimhelping

@EvandroLG EvandroLG Awaiting requested review from EvandroLG

@ariser ariser Awaiting requested review from ariser

@kunalpanchal kunalpanchal Awaiting requested review from kunalpanchal

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@punkbit