From 49ace2faf9d47a4eb6a780e3aa56f1b739eea5c6 Mon Sep 17 00:00:00 2001
From: dotta <dotta@example.com>
Date: Sat, 21 Mar 2026 14:59:20 -0500
Subject: [PATCH] Allow custom markdown mention links in editor

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 ui/src/components/MarkdownEditor.tsx | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/ui/src/components/MarkdownEditor.tsx b/ui/src/components/MarkdownEditor.tsx
index 0f6bd402..afbd29fc 100644
--- a/ui/src/components/MarkdownEditor.tsx
+++ b/ui/src/components/MarkdownEditor.tsx
@@ -68,6 +68,12 @@ function escapeRegExp(value: string): string {
   return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
 
+function isSafeMarkdownLinkUrl(url: string): boolean {
+  const trimmed = url.trim();
+  if (!trimmed) return true;
+  return !/^(javascript|data|vbscript):/i.test(trimmed);
+}
+
 /* ---- Mention detection helpers ---- */
 
 interface MentionState {
@@ -269,7 +275,7 @@ export const MarkdownEditor = forwardRef<MarkdownEditorRef, MarkdownEditorProps>
       listsPlugin(),
       quotePlugin(),
       tablePlugin(),
-      linkPlugin(),
+      linkPlugin({ validateUrl: isSafeMarkdownLinkUrl }),
       linkDialogPlugin(),
       thematicBreakPlugin(),
       codeBlockPlugin({