security hardening

app/services/invoice/pdf/InvoiceDocument.tsx

@@ -22,6 +22,21 @@ const TEXT_DARK = "#1F2933";
 const TEXT_MUTED = "#6B7280";
 const TABLE_BORDER = "#E5E7EB";
 
+/**
+ * Returns true only for syntactically valid http(s) URLs. Used to gate
+ * carrier/fulfillment-supplied tracking URLs before embedding them as PDF
+ * link annotations, so non-http schemes (javascript:, file:, data:, …) can't
+ * be smuggled into the document.
+ */
+function isHttpUrl(value: string): boolean {
+  try {
+    const u = new URL(value);
+    return u.protocol === "https:" || u.protocol === "http:";
+  } catch {
+    return false;
+  }
+}
+
 const styles = StyleSheet.create({
   page: {
     paddingTop: 40,
@@ -348,7 +363,7 @@ export function InvoiceDocument({ invoice }: DocProps) {
                     {t.trackingLabel}
                     {tr.company ? ` (${tr.company})` : ""}
                   </Text>
-                  {tr.url ? (
+                  {tr.url && isHttpUrl(tr.url) ? (
                     <Link src={tr.url} style={styles.metaValue}>{tr.number}</Link>
                   ) : (
                     <Text style={styles.metaValue}>{tr.number}</Text>