Address copilot feedback

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: jazairi

app/controllers/thirdiron_controller.rb

@@ -1,3 +1,5 @@
+require 'uri'
+
 class ThirdironController < ApplicationController
   layout false
 
@@ -14,12 +16,27 @@ def browzine
     return unless ThirdIron.enabled? && params[:issn].present?
 
     @browzine = Browzine.lookup(issn: params[:issn])
-    @full_record_url = params[:full_record_url]
+    @full_record_url = safe_full_record_url(params[:full_record_url])
   end
 
   private
 
   def expected_params?
     params[:type].present? && params[:identifier].present?
   end
+
+  def safe_full_record_url(url)
+    return nil unless url.is_a?(String)
+
+    url = url.strip
+    return nil if url.blank?
+
+    parsed = URI.parse(url)
+    return nil unless parsed.is_a?(URI::HTTP) || parsed.is_a?(URI::HTTPS)
+    return nil if parsed.host.blank?
+
+    parsed.to_s
+  rescue URI::InvalidURIError, ArgumentError
+    nil
+  end
 end

app/views/thirdiron/browzine.html.erb

@@ -1,9 +1,9 @@
-<% if ThirdIron.enabled? && @browzine.present? %>
-  <%= link_to 'Full-text options', @full_record_url, class: 'button libkey-link', data: { matomo_seen: "Results, Full-text Options Link Seen, Tab: {{getActiveTabName}}", matomo_click: "Results, Full-text Options Link Engaged, Link: {{getElementText}}", content_piece: 'Full-text options' } %>
-
-  <% if @browzine[:browzine_link].present? %>
-    <div class="libkey-actions">
-      <%= link_to @browzine[:browzine_link][:text], @browzine[:browzine_link][:link], class: 'libkey-link', data: { matomo_seen: "Results, Browzine Link Seen, Tab: {{getActiveTabName}}", matomo_click: "Results, Browzine Link Engaged, Link: {{getElementText}}", content_piece: @browzine[:browzine_link][:text] } %>
-    </div>
+<% if ThirdIron.enabled? && @browzine.present? && @browzine[:browzine_link].present? %>
+  <% if @full_record_url.present? %>
+    <%= link_to 'Full-text options', @full_record_url, class: 'button libkey-link', data: { matomo_seen: "Results, Full-text Options Link Seen, Tab: {{getActiveTabName}}", matomo_click: "Results, Full-text Options Link Engaged, Link: {{getElementText}}", content_piece: 'Full-text options' } %>
   <% end %>
+
+  <div class="libkey-actions">
+    <%= link_to @browzine[:browzine_link][:text], @browzine[:browzine_link][:link], class: 'libkey-link', data: { matomo_seen: "Results, Browzine Link Seen, Tab: {{getActiveTabName}}", matomo_click: "Results, Browzine Link Engaged, Link: {{getElementText}}", content_piece: @browzine[:browzine_link][:text] } %>
+  </div>
 <% end %>

test/controllers/thirdiron_controller_test.rb

@@ -111,7 +111,10 @@ class ThirdironControllerTest < ActionDispatch::IntegrationTest
       get '/browzine?issn=1546170X'
 
       assert_response :success
-      assert_select 'a.button', { count: 1 }
+
+      # Only browzine link, no button since no full_record_url provided
+      assert_select 'a.button', { count: 0 }
+      assert_select 'a.libkey-link', { count: 1 }
     end
   end
 
@@ -120,6 +123,10 @@ class ThirdironControllerTest < ActionDispatch::IntegrationTest
       get '/browzine?issn=1546170X&full_record_url=https://example.com/full-record'
 
       assert_response :success
+
+      # Button (Full-text options) and browzine link both have libkey-link class
+      assert_select 'a.button', { count: 1 }
+      assert_select 'a.button[href="https://example.com/full-record"]'
       assert_select 'a.libkey-link', { count: 2 }
     end
   end