fix DOM XSS via unvalidated form redirects (#120)

* implement safe url validation for redirects

added validation for safe redirect urls to prevent xss attacks

* add changeset: fix dom xss in form redirects
(marked as patch version bump for @emdash-cms/plugin-forms)

---------

Co-authored-by: Matt Kane <mkane@cloudflare.com>

.changeset/bright-facts-taste.md

@@ -0,0 +1,5 @@
+---
+"@emdash-cms/plugin-forms": patch
+---
+
+Fix DOM XSS in form redirects

packages/plugins/forms/src/client/index.ts

@@ -137,11 +137,17 @@ async function handleSubmit(e: Event) {
 		if (result.success) {
 			clearSavedState(form);
 			if (result.redirect) {
+				// prevent xss
+				if (isSafeRedirectUrl(result.redirect)) {
 					window.location.href = result.redirect;
 				} else {
 					showStatus(form, result.message || "Submitted successfully.", "success");
 					form.reset();
 				}
+			} else {
+				showStatus(form, result.message || "Submitted successfully.", "success");
+				form.reset();
+			}
 		} else if (result.errors) {
 			showErrors(form, result.errors);
 		} else {
@@ -157,6 +163,16 @@ async function handleSubmit(e: Event) {
 	}
 }
 
+/** validates that a redirect url uses a safe protocol */
+function isSafeRedirectUrl(url: string): boolean {
+	try {
+		const parsed = new URL(url, window.location.href);
+		return ["http:", "https:", "mailto:", "tel:"].includes(parsed.protocol);
+	} catch {
+		return false;
+	}
+}
+
 // ─── Click Handler (Prev/Next) ───────────────────────────────────
 
 function handleClick(e: Event) {