Add URL validation to ActionRunner and improve accessibility in field widgets

Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>

Author: Copilot

packages/core/src/actions/ActionRunner.ts

@@ -122,6 +122,21 @@ export class ActionRunner {
     const nav = action.navigate || action;
     const to = this.evaluator.evaluate(nav.to) as string;
 
+    // Validate URL to prevent javascript: or data: schemes
+    const isValidUrl = typeof to === 'string' && (
+      to.startsWith('http://') || 
+      to.startsWith('https://') || 
+      to.startsWith('/') || 
+      to.startsWith('./')
+    );
+
+    if (!isValidUrl) {
+      return {
+        success: false,
+        error: 'Invalid URL scheme. Only http://, https://, and relative URLs are allowed.'
+      };
+    }
+
     if (nav.external) {
       window.open(to, '_blank', 'noopener,noreferrer');
     } else {

packages/fields/src/widgets/LookupField.tsx

@@ -108,6 +108,7 @@ export function LookupField({ value, onChange, field, readonly }: FieldWidgetPro
                 onClick={() => handleRemove(opt?.value)}
                 className="ml-1 hover:text-destructive"
                 type="button"
+                aria-label={`Remove ${opt?.[displayField] || opt?.label}`}
               >
                 <X className="size-3" />
               </button>

packages/fields/src/widgets/TextAreaField.tsx

@@ -28,7 +28,11 @@ export function TextAreaField({ value, onChange, field, readonly, errorMessage,
         aria-invalid={!!errorMessage}
       />
       {maxLength && (
-        <div className="absolute bottom-2 right-2 text-xs text-gray-400">
+        <div 
+          className="absolute bottom-2 right-2 text-xs text-gray-400"
+          aria-live="polite"
+          aria-label={`Character count: ${(value || '').length} of ${maxLength}`}
+        >
           {(value || '').length}/{maxLength}
         </div>
       )}