Potential fix for code scanning alert no. 7: DOM text reinterpreted as HTML

[Ndevu12]

Potential fix for https://github.com/Ndevu12/RichTextEditor/security/code-scanning/7

In general, the fix is to avoid feeding raw, unvalidated user input directly into DOM sinks that the browser interprets, especially where URL-like data is concerned. For this component, the simplest safe approach is to validate and normalize the user-entered URL before using it in previewSrc (and therefore before putting it into the <img src> attribute). We should restrict preview URLs to safe schemes (e.g., http:, https:, and data: for images) and treat any other scheme as invalid, so it never reaches the DOM.

Concretely, we can introduce a small helper function within ImageDialog.tsx to compute a safe preview URL from the current source, filePreview, and url. This helper will:

• Return filePreview unchanged when source === 'file' (it is produced by readFileAsBase64, which should be a data URL and not attacker-controlled beyond file content).
• For the URL case, trim the string, reject empty values, parse with new URL(...) or a simple regex, and only allow http, https, or data schemes.
• Return null if the URL is missing or uses a disallowed scheme.

We then replace the direct computation:

const previewSrc = source === 'file' ? filePreview : url.trim() || null;

with a call to this new helper. No new imports are strictly required; we can use the built-in URL constructor for validation. The change is confined to src/components/Dialogs/ImageDialog.tsx around the preview computation and the addition of the helper function nearby.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.