Potential fix for pull request finding 'CodeQL / Reflected server-side cross-site scripting'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: jazairi

app/controllers/thirdiron_controller.rb

@@ -1,3 +1,5 @@
+require 'uri'
+
 class ThirdironController < ApplicationController
   layout false
 
@@ -14,12 +16,24 @@ def browzine
     return unless ThirdIron.enabled? && params[:issn].present?
 
     @browzine = Browzine.lookup(issn: params[:issn])
-    @full_record_url = params[:full_record_url]
+    @full_record_url = safe_full_record_url(params[:full_record_url])
   end
 
   private
 
   def expected_params?
     params[:type].present? && params[:identifier].present?
   end
+
+  def safe_full_record_url(url)
+    return nil if url.blank?
+
+    parsed = URI.parse(url)
+    return nil unless parsed.is_a?(URI::HTTP) || parsed.is_a?(URI::HTTPS)
+    return nil if parsed.host.blank?
+
+    parsed.to_s
+  rescue URI::InvalidURIError
+    nil
+  end
 end

app/views/thirdiron/browzine.html.erb

@@ -1,5 +1,7 @@
 <% if ThirdIron.enabled? && @browzine.present? %>
-  <%= link_to 'Full-text options', @full_record_url, class: 'button libkey-link', data: { matomo_seen: "Results, Full-text Options Link Seen, Tab: {{getActiveTabName}}", matomo_click: "Results, Full-text Options Link Engaged, Link: {{getElementText}}", content_piece: 'Full-text options' } %>
+  <% if @full_record_url.present? %>
+    <%= link_to 'Full-text options', @full_record_url, class: 'button libkey-link', data: { matomo_seen: "Results, Full-text Options Link Seen, Tab: {{getActiveTabName}}", matomo_click: "Results, Full-text Options Link Engaged, Link: {{getElementText}}", content_piece: 'Full-text options' } %>
+  <% end %>
 
   <% if @browzine[:browzine_link].present? %>
     <div class="libkey-actions">