fix(security): restrict link protocols to http and https (#1888)

packages/validation/src/app.ts

@@ -4,7 +4,11 @@ const manageAppSchema = z.object({
   name: z.string().min(1).max(64),
   description: z.string().max(512).nullable(),
   iconUrl: z.string().min(1),
-  href: z.string().nullable(),
+  href: z
+    .string()
+    .url()
+    .regex(/^https?:\/\//) // Only allow http and https for security reasons (javascript: is not allowed)
+    .nullable(),
 });
 
 const editAppSchema = manageAppSchema.and(z.object({ id: z.string() }));

packages/validation/src/integration.ts

@@ -7,7 +7,10 @@ import { createSavePermissionsSchema } from "./permissions";
 
 const integrationCreateSchema = z.object({
   name: z.string().nonempty().max(127),
-  url: z.string().url(),
+  url: z
+    .string()
+    .url()
+    .regex(/^https?:\/\//), // Only allow http and https for security reasons (javascript: is not allowed)
   kind: zodEnumFromArray(integrationKinds),
   secrets: z.array(
     z.object({

packages/validation/src/search-engine.ts

@@ -5,7 +5,7 @@ import type { SearchEngineType } from "@homarr/definitions";
 
 const genericSearchEngine = z.object({
   type: z.literal("generic" satisfies SearchEngineType),
-  urlTemplate: z.string().min(1).startsWith("http").includes("%s"),
+  urlTemplate: z.string().min(1).startsWith("http").includes("%s"), // Only allow http and https for security reasons (javascript: is not allowed)
 });
 
 const fromIntegrationSearchEngine = z.object({