fix(dashboard): sanitize href input in text widget

packages/dashboard/package.json

@@ -60,12 +60,12 @@
     "@testing-library/react": "^14.0.0",
     "@testing-library/user-event": "^14.4.3",
     "@types/is-hotkey": "^0.1.7",
-    "@types/is-url": "^1.2.32",
     "@types/lodash": "^4.14.195",
     "@types/node": "^18.16.18",
     "@types/papaparse": "^5.3.10",
     "@types/react": "^18.2.12",
     "@types/react-dom": "^18.2.5",
+    "@types/validator": "^13.12.0",
     "css-loader": "6.8.1",
     "dotenv": "^16.3.1",
     "eslint-config-iot-app-kit": "10.10.1",
@@ -110,8 +110,8 @@
     "@tanstack/react-query": "^4.29.15",
     "aws-sdk-client-mock": "^3.0.0",
     "buffer": "^6.0.3",
+    "dompurify": "^3.1.6",
     "is-hotkey": "^0.2.0",
-    "is-url": "^1.2.4",
     "papaparse": "^5.4.1",
     "parse-duration": "^1.0.3",
     "react-dnd": "^16.0.1",
@@ -125,7 +125,8 @@
     "react-use": "17.4.0",
     "tiny-invariant": "^1.3.1",
     "turbowatch": "^2.29.4",
-    "uuid": "^9.0.0"
+    "uuid": "^9.0.0",
+    "validator": "^13.12.0"
   },
   "peerDependencies": {
     "@aws-sdk/client-iot-events": "^3.354.0",

packages/dashboard/src/customization/widgets/text/link/index.tsx

@@ -2,7 +2,8 @@ import type { CSSProperties } from 'react';
 import React from 'react';
 import { defaultFontSettings } from '../styledText/defaultFontSettings';
 import type { TextWidget } from '../../types';
-import isValidUrl from 'is-url';
+import DOMPurify from 'dompurify';
+import { isURL } from 'validator';
 
 type TextLinkProps = TextWidget;
 
@@ -23,7 +24,9 @@ const TextLink: React.FC<TextLinkProps> = (widget) => {
     color: fontColor,
   };
 
-  const renderedHref = href && isValidUrl(href) ? href : undefined;
+  const sanitizedHref = href ? DOMPurify.sanitize(href) : undefined;
+  const isValidUrl = sanitizedHref ? isURL(sanitizedHref) : false;
+  const renderedHref = isValidUrl ? sanitizedHref : undefined;
 
   return (
     <a href={renderedHref} className={className} style={style}>