fix: validate src URL scheme in slash command composer preview popup

[ggazzo]

Summary

`ComposerBoxPopupPreview` rendered the `value` field from `/v1/commands.preview` straight into the `src` attribute of ``, ``, and `

Fix

• Added a scheme allowlist: `http:`, `https:`, `data:`, `blob:`.
• `safeMediaSrc()` parses the value through `new URL(value, window.location.origin)` and returns `undefined` for anything outside the allowlist (or unparseable input).
• Each media branch (`image`, `audio`, `video`) now skips render when `mediaSrc` is `undefined`. Text/other branches keep rendering the value as plain text — no DOM injection vector.

Origin

Spotted by hacktron during review of #40659. The component predates that PR (Feb 2025 refactor, commit 5f9adcd), so a standalone fix.

Test plan

• Trigger a slash command with valid `http(s)` preview values — popup renders normally.
• Mock the `/v1/commands.preview` response with `value: 'javascript:alert(1)'` — preview tile renders empty for that item; no `src` attribute hits the DOM.
• Verify text/other preview types still render their string value.

Summary by CodeRabbit

• Bug Fixes
  • Fixed a security issue in the composer where invalid URL schemes could be processed as preview media. The preview now validates that media URLs use only standard protocols (http, https, data, or blob), preventing potentially unsafe content from being displayed.

[changeset-bot]

🦋 Changeset detected

Latest commit: 6bdee93

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 962eb8e8-261d-48bc-9394-dc26a6af6b19

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

The PR adds URL validation to the ComposerBoxPopupPreview component to prevent unsafe URI schemes (like javascript:) from the /v1/commands.preview API from being rendered as media sources. A new safeMediaSrc helper validates URLs against an allowlist of safe schemes, and preview rendering is updated to use only validated URLs.

Changes

ComposerBoxPopupPreview URL Validation

Layer / File(s)	Summary
URL validation helper apps/meteor/client/views/room/composer/ComposerBoxPopupPreview.tsx	Adds SAFE_MEDIA_SCHEMES constant and safeMediaSrc helper that parses URLs and returns undefined for any scheme not in the allowlist (http, https, data, blob).
Preview rendering integration apps/meteor/client/views/room/composer/ComposerBoxPopupPreview.tsx, .changeset/composer-preview-src-validation.md	Updates itemsFlat.map rendering to compute sanitized mediaSrc and conditionally render image/audio/video elements only when the source is valid; documents the security fix in the changeset with a patch bump.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested labels

type: bug

Suggested reviewers

• KevLehman

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding URL scheme validation to the ComposerBoxPopupPreview component to prevent non-media URI schemes from being used as src attributes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.61%. Comparing base (82aad55) to head (6bdee93).

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #40686      +/-   ##
===========================================
- Coverage    69.63%   69.61%   -0.03%     
===========================================
  Files         3338     3338              
  Lines       123289   123289              
  Branches     22005    21972      -33     
===========================================
- Hits         85850    85824      -26     
- Misses       34073    34097      +24     
- Partials      3366     3368       +2     

Flag	Coverage Δ
unit	70.44% <ø> (-0.04%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cubic-dev-ai]

No issues found across 2 files

_{Re-trigger cubic}