diff --git a/lib/NotificationGenerator.php b/lib/NotificationGenerator.php
index 99e3e3b70..175ea2438 100644
--- a/lib/NotificationGenerator.php
+++ b/lib/NotificationGenerator.php
@@ -31,6 +31,14 @@ public function __construct(
 	) {
 	}
 
+	private function sanitizeUrl(string $url): string {
+		if (str_starts_with($url, 'http://') || str_starts_with($url, 'https://')) {
+			return $url;
+		}
+
+		return '';
+	}
+
 	public function deferNotifications(): bool {
 		return $this->notificationManager->defer();
 	}
@@ -68,8 +76,9 @@ private function getNotificationForEvent(IEvent $event, int $activityId): INotif
 			$notification->setMessage($event->getMessage(), $event->getMessageParameters());
 		}
 
-		if ($event->getLink()) {
-			$notification->setLink($event->getLink());
+		$link = $event->getLink() ? $this->sanitizeUrl($event->getLink()) : '';
+		if ($link !== '') {
+			$notification->setLink($link);
 		}
 
 		return $notification;
@@ -127,8 +136,9 @@ private function getDisplayNotificationForEvent(IEvent $event, int $activityId):
 		$notification->setRichSubject($event->getRichSubject(), $event->getRichSubjectParameters());
 		$notification->setParsedSubject($event->getParsedSubject());
 
-		if ($event->getIcon()) {
-			$notification->setIcon($event->getIcon());
+		$icon = $event->getIcon() ? $this->sanitizeUrl($event->getIcon()) : '';
+		if ($icon !== '') {
+			$notification->setIcon($icon);
 		}
 
 		if ($event->getRichMessage()) {