@journeyrewards/hive-vercel 1.2.0 → 1.2.1

package/dist/index.js

@@ -397,6 +397,14 @@ function MessageBubble({ role, content, timestamp }) {
     ) : null
   );
 }
+function isSafeUrl(url) {
+  try {
+    const parsed = new URL(url);
+    return parsed.protocol === "https:" || parsed.protocol === "http:";
+  } catch {
+    return false;
+  }
+}
 function ChartEmbed({ embedUrl, imageUrl, title, chartId, width, height, className }) {
   const containerStyle = {
     margin: "8px 0 16px",
@@ -405,7 +413,7 @@ function ChartEmbed({ embedUrl, imageUrl, title, chartId, width, height, classNa
     border: "1px solid #e2e2ea",
     maxWidth: width || "640px"
   };
-  if (embedUrl) {
+  if (embedUrl && isSafeUrl(embedUrl)) {
     return (0, import_react2.createElement)(
       "div",
       { className: `jh-chart-embed ${className || ""}`.trim(), style: containerStyle },
@@ -413,11 +421,13 @@ function ChartEmbed({ embedUrl, imageUrl, title, chartId, width, height, classNa
         src: embedUrl,
         title: title || "Chart",
         style: { width: "100%", height: height || "400px", border: "none" },
-        loading: "lazy"
+        loading: "lazy",
+        sandbox: "allow-scripts allow-same-origin",
+        referrerPolicy: "no-referrer"
       })
     );
   }
-  if (imageUrl) {
+  if (imageUrl && isSafeUrl(imageUrl)) {
     return (0, import_react2.createElement)(
       "div",
       { className: `jh-chart-embed ${className || ""}`.trim(), style: containerStyle },
@@ -425,7 +435,8 @@ function ChartEmbed({ embedUrl, imageUrl, title, chartId, width, height, classNa
         src: imageUrl,
         alt: title || "Chart",
         style: { width: "100%", height: "auto", display: "block" },
-        loading: "lazy"
+        loading: "lazy",
+        referrerPolicy: "no-referrer"
       })
     );
   }

package/dist/index.mjs

@@ -371,6 +371,14 @@ function MessageBubble({ role, content, timestamp }) {
     ) : null
   );
 }
+function isSafeUrl(url) {
+  try {
+    const parsed = new URL(url);
+    return parsed.protocol === "https:" || parsed.protocol === "http:";
+  } catch {
+    return false;
+  }
+}
 function ChartEmbed({ embedUrl, imageUrl, title, chartId, width, height, className }) {
   const containerStyle = {
     margin: "8px 0 16px",
@@ -379,7 +387,7 @@ function ChartEmbed({ embedUrl, imageUrl, title, chartId, width, height, classNa
     border: "1px solid #e2e2ea",
     maxWidth: width || "640px"
   };
-  if (embedUrl) {
+  if (embedUrl && isSafeUrl(embedUrl)) {
     return createElement2(
       "div",
       { className: `jh-chart-embed ${className || ""}`.trim(), style: containerStyle },
@@ -387,11 +395,13 @@ function ChartEmbed({ embedUrl, imageUrl, title, chartId, width, height, classNa
         src: embedUrl,
         title: title || "Chart",
         style: { width: "100%", height: height || "400px", border: "none" },
-        loading: "lazy"
+        loading: "lazy",
+        sandbox: "allow-scripts allow-same-origin",
+        referrerPolicy: "no-referrer"
       })
     );
   }
-  if (imageUrl) {
+  if (imageUrl && isSafeUrl(imageUrl)) {
     return createElement2(
       "div",
       { className: `jh-chart-embed ${className || ""}`.trim(), style: containerStyle },
@@ -399,7 +409,8 @@ function ChartEmbed({ embedUrl, imageUrl, title, chartId, width, height, classNa
         src: imageUrl,
         alt: title || "Chart",
         style: { width: "100%", height: "auto", display: "block" },
-        loading: "lazy"
+        loading: "lazy",
+        referrerPolicy: "no-referrer"
       })
     );
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@journeyrewards/hive-vercel",
-  "version": "1.2.0",
+  "version": "1.2.1",
   "description": "Vercel/Next.js SDK for Journey Hive Agent Orchestration",
   "main": "dist/index.js",
   "module": "dist/index.mjs",