Potential fix for code scanning alert no. 21: Incomplete URL scheme check

[nperez0111]

Potential fix for https://github.com/TypeCellOS/BlockNote/security/code-scanning/21

The best fix is to explicitly block all known dangerous executable schemes in this sanitizer, not just javascript:.
Without changing existing behavior otherwise, update the condition in packages/react/src/util/sanitizeUrl.ts so the function only returns url.href when the protocol is not any of: javascript:, data:, vbscript:. For blocked schemes (or parse errors), continue returning "#" exactly as now.

Concretely, edit the if on line 12 region to include all three checks. No new imports, methods, or dependencies are required.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
blocknote	Ready	Preview	May 21, 2026 6:58am
blocknote-website	Ready	Preview	May 21, 2026 6:58am

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b2bae65f-c7d6-4cb1-bcbd-50b3cd71e990

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch alert-autofix-21

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}