From 4bf8ca58d49a9189daf873ae67d7193cb3cab325 Mon Sep 17 00:00:00 2001
From: Mark-Zampedroni <61708087+Mark-Zampedroni@users.noreply.github.com>
Date: Fri, 13 Mar 2026 23:14:19 +0100
Subject: [PATCH] fix(docx-preview): sanitize hyperlink URIs to prevent XSS

---
 js/vendor/docx-preview.js | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/js/vendor/docx-preview.js b/js/vendor/docx-preview.js
index 4b49ea496c..59590ca188 100644
--- a/js/vendor/docx-preview.js
+++ b/js/vendor/docx-preview.js
@@ -2998,13 +2998,17 @@ section.${c}>article { margin-bottom: auto; }
         var result = this.createElement("a");
         this.renderChildren(elem, result);
         this.renderStyleValues(elem.cssStyle, result);
+        var href;
         if (elem.href) {
-            result.href = elem.href;
+            href = elem.href;
         }
         else if (elem.id) {
             const rel = this.document.documentPart.rels
                 .find(it => it.id == elem.id && it.targetMode === "External");
-            result.href = rel === null || rel === void 0 ? void 0 : rel.target;
+            href = rel === null || rel === void 0 ? void 0 : rel.target;
+        }
+        if (href && /^(https?|mailto):/i.test(href)) {
+            result.href = href;
         }
         return result;
     }