From 7b302382abc82cab153bfad6f30e6f754420bc1a Mon Sep 17 00:00:00 2001
From: mateea326 <mateea.roman@s.unibuc.ro>
Date: Mon, 30 Mar 2026 16:40:25 +0300
Subject: [PATCH] prevent malicious javascript execution in url_launcher.dart

---
 .../appflowy_flutter/lib/core/helpers/url_launcher.dart   | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/frontend/appflowy_flutter/lib/core/helpers/url_launcher.dart b/frontend/appflowy_flutter/lib/core/helpers/url_launcher.dart
index 4ca51f8ea4d93..77b28709e6b99 100644
--- a/frontend/appflowy_flutter/lib/core/helpers/url_launcher.dart
+++ b/frontend/appflowy_flutter/lib/core/helpers/url_launcher.dart
@@ -39,6 +39,14 @@ Future<bool> afLaunchUri(
     );
   }
 
+  // Security: Prevent execution of dangerous URI schemes (XSS)
+  final validSchemes = ['http', 'https', 'mailto', 'tel', 'sms'];
+  if (uri.scheme.isNotEmpty && !validSchemes.contains(uri.scheme.toLowerCase())) {
+    Log.error('Blocked attempt to launch unsafe URI scheme: ${uri.scheme}');
+    return false;
+  }
+
+
   // on Linux or Android or Windows, add http scheme to the url if it is not present
   if ((UniversalPlatform.isLinux ||
           UniversalPlatform.isAndroid ||