RocketChat · kodiakhq · Jul 2, 2025 · Jun 27, 2025 · Jun 30, 2025 · Jul 1, 2025
diff --git a/.changeset/flat-buckets-doubt.md b/.changeset/flat-buckets-doubt.md
@@ -0,0 +1,6 @@
+---
+'@rocket.chat/gazzodown': patch
+'@rocket.chat/meteor': patch
+---
+
+Fixes an issue that causes legitimate URLs to return '#' in links
diff --git a/packages/gazzodown/src/elements/sanitizeUrl.spec.ts b/packages/gazzodown/src/elements/sanitizeUrl.spec.ts
@@ -95,10 +95,6 @@ describe('sanitizeUrl', () => {
 		});
 	});
 
-	it('sanitizes malformed URLs', () => {
-		expect(sanitizeUrl('ht^tp://broken')).toBe('#');
-	});
-
 	it('sanitizes empty string', () => {
 		expect(sanitizeUrl('')).toBe('#');
 	});
@@ -107,7 +103,7 @@ describe('sanitizeUrl', () => {
 		expect(sanitizeUrl('JAVASCRIPT:alert(1)')).toBe('#');
 	});
 
-	it('sanitizes nonsense input', () => {
-		expect(sanitizeUrl('💣💥🤯')).toBe('#');
+	it('allows bare domain names', () => {
+		expect(sanitizeUrl('example.com/page')).toBe('//example.com/page');
 	});
 });
diff --git a/packages/gazzodown/src/elements/sanitizeUrl.ts b/packages/gazzodown/src/elements/sanitizeUrl.ts
@@ -1,8 +1,18 @@
 export const sanitizeUrl = (href: string) => {
+	if (!href) {
+		return '#';
+	}
+
 	try {
-		const url = new URL(href);
-		const dangerousProtocols = ['javascript:', 'data:', 'vbscript:'];
-		return dangerousProtocols.includes(url.protocol.toLowerCase()) ? '#' : url.href;
+		const hasProtocol = /^[a-zA-Z][a-zA-Z\d+\-.]*:/.test(href);
+
+		if (hasProtocol) {
+			const url = new URL(href);
+			const dangerousProtocols = ['javascript:', 'data:', 'vbscript:'];
+			return dangerousProtocols.includes(url.protocol.toLowerCase()) ? '#' : url.href;
+		}
+
+		return `//${href}`;
 	} catch {
 		return '#';
 	}