From e2ca8ee7bdce013f53e974df7a9ee5094a7e85e0 Mon Sep 17 00:00:00 2001
From: Isaac Connor <iconnor@connortechnology.com>
Date: Tue, 16 Jun 2026 18:40:55 -0400
Subject: [PATCH] Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
 web/skins/classic/js/skin.js | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/web/skins/classic/js/skin.js b/web/skins/classic/js/skin.js
index 89bb5bad6..2765f085a 100644
--- a/web/skins/classic/js/skin.js
+++ b/web/skins/classic/js/skin.js
@@ -101,8 +101,14 @@ window.addEventListener("DOMContentLoaded", function onSkinDCL() {
       evt.preventDefault();
       // Only navigate to safe schemes; block javascript:/data:/vbscript: URLs
       // in href/data-url so a crafted attribute cannot run script on click.
-      if (url && !/^\s*(javascript|data|vbscript):/i.test(url)) {
-        window.location.assign(url);
+      try {
+        const parsed = new URL(String(url), document.baseURI);
+        const proto = parsed.protocol.toLowerCase();
+        if (proto === 'http:' || proto === 'https:') {
+          window.location.assign(parsed.href);
+        }
+      } catch (e) {
+        // Ignore invalid URLs
       }
     });
   });