fix: change sanitizeUrl to handle URLs without a protocol schema (RocketChat#36317)

Author: julio-rocketchat

.changeset/flat-buckets-doubt.md

@@ -0,0 +1,6 @@
+---
+'@rocket.chat/gazzodown': patch
+'@rocket.chat/meteor': patch
+---
+
+Fixes an issue that causes legitimate URLs to return '#' in links

packages/gazzodown/src/elements/sanitizeUrl.spec.ts

@@ -95,10 +95,6 @@ describe('sanitizeUrl', () => {
 		});
 	});
 
-	it('sanitizes malformed URLs', () => {
-		expect(sanitizeUrl('ht^tp://broken')).toBe('#');
-	});
-
 	it('sanitizes empty string', () => {
 		expect(sanitizeUrl('')).toBe('#');
 	});
@@ -107,7 +103,7 @@ describe('sanitizeUrl', () => {
 		expect(sanitizeUrl('JAVASCRIPT:alert(1)')).toBe('#');
 	});
 
-	it('sanitizes nonsense input', () => {
-		expect(sanitizeUrl('💣💥🤯')).toBe('#');
+	it('allows bare domain names', () => {
+		expect(sanitizeUrl('example.com/page')).toBe('//example.com/page');
 	});
 });

packages/gazzodown/src/elements/sanitizeUrl.ts

@@ -1,8 +1,18 @@
 export const sanitizeUrl = (href: string) => {
+	if (!href) {
+		return '#';
+	}
+
 	try {
-		const url = new URL(href);
-		const dangerousProtocols = ['javascript:', 'data:', 'vbscript:'];
-		return dangerousProtocols.includes(url.protocol.toLowerCase()) ? '#' : url.href;
+		const hasProtocol = /^[a-zA-Z][a-zA-Z\d+\-.]*:/.test(href);
+
+		if (hasProtocol) {
+			const url = new URL(href);
+			const dangerousProtocols = ['javascript:', 'data:', 'vbscript:'];
+			return dangerousProtocols.includes(url.protocol.toLowerCase()) ? '#' : url.href;
+		}
+
+		return `//${href}`;
 	} catch {
 		return '#';
 	}