fix DOM XSS via unvalidated form redirects (#120)

* implement safe url validation for redirects

added validation for safe redirect urls to prevent xss attacks

* add changeset: fix dom xss in form redirects
(marked as patch version bump for @emdash-cms/plugin-forms)

---------

Co-authored-by: Matt Kane <mkane@cloudflare.com>

.changeset/bright-facts-taste.md

@@ -0,0 +1,5 @@
+---
+"@emdash-cms/plugin-forms": patch
+---
+
+Fix DOM XSS in form redirects

packages/plugins/forms/src/client/index.ts

@@ -137,7 +137,13 @@ async function handleSubmit(e: Event) {
 		if (result.success) {
 			clearSavedState(form);
 			if (result.redirect) {
-				window.location.href = result.redirect;
+				// prevent xss
+				if (isSafeRedirectUrl(result.redirect)) {
+					window.location.href = result.redirect;
+				} else {
+					showStatus(form, result.message || "Submitted successfully.", "success");
+					form.reset();
+				}
 			} else {
 				showStatus(form, result.message || "Submitted successfully.", "success");
 				form.reset();
@@ -157,6 +163,16 @@ async function handleSubmit(e: Event) {
 	}
 }
 
+/** validates that a redirect url uses a safe protocol */
+function isSafeRedirectUrl(url: string): boolean {
+	try {
+		const parsed = new URL(url, window.location.href);
+		return ["http:", "https:", "mailto:", "tel:"].includes(parsed.protocol);
+	} catch {
+		return false;
+	}
+}
+
 // ─── Click Handler (Prev/Next) ───────────────────────────────────
 
 function handleClick(e: Event) {