Fix unsafe URL launch in LinkToolRenderer

[Copilot]

onTap in LinkToolRenderer used Uri.parse directly, risking FormatException on malformed links and allowing non-web schemes (e.g. file://, intent://) to be launched.

Changes

• link_tool_renderer.dart
  • Uri.parse → Uri.tryParse; returns early if result is null
  • Scheme guard: rejects anything that isn't http or https
  • Gates launch behind canLaunchUrl; awaits both the check and launchUrl

onTap: block.link.isNotEmpty
    ? () async {
        final uri = Uri.tryParse(block.link);
        if (uri == null) return;
        if (uri.scheme != 'http' && uri.scheme != 'https') return;
        if (await canLaunchUrl(uri)) {
          await launchUrl(uri, mode: LaunchMode.externalApplication);
        }
      }
    : null,

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.