From 301d54999530382a4d97c06ad476a72615200380 Mon Sep 17 00:00:00 2001
From: Jean Paul Elisa NIYOKWIZERWA
 <140616733+Ndevu12@users.noreply.github.com>
Date: Sun, 29 Mar 2026 14:30:08 +0000
Subject: [PATCH] Potential fix for code scanning alert no. 7: DOM text
 reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Jean Paul Elisa NIYOKWIZERWA <140616733+Ndevu12@users.noreply.github.com>
---
 src/components/Dialogs/ImageDialog.tsx | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/src/components/Dialogs/ImageDialog.tsx b/src/components/Dialogs/ImageDialog.tsx
index 24b6942..98566d9 100644
--- a/src/components/Dialogs/ImageDialog.tsx
+++ b/src/components/Dialogs/ImageDialog.tsx
@@ -208,7 +208,29 @@ export function ImageDialog() {
   }, []);
 
   // ── Compute preview URL (either file preview or typed URL) ─
-  const previewSrc = source === 'file' ? filePreview : url.trim() || null;
+  const getSafePreviewSrc = (): string | null => {
+    if (source === 'file') {
+      return filePreview;
+    }
+
+    const trimmed = url.trim();
+    if (!trimmed) {
+      return null;
+    }
+
+    try {
+      const parsed = new URL(trimmed, window.location.origin);
+      const scheme = parsed.protocol.replace(':', '').toLowerCase();
+      if (scheme === 'http' || scheme === 'https' || scheme === 'data') {
+        return trimmed;
+      }
+      return null;
+    } catch {
+      return null;
+    }
+  };
+
+  const previewSrc = getSafePreviewSrc();
   const showPreview = !!previewSrc;
 
   return (