From 43cefadcb9dc76edd898e0cb38ceb4d4b10e6ac8 Mon Sep 17 00:00:00 2001
From: Alfie Jones <alfie.jones@hotmail.co.uk>
Date: Sat, 9 May 2026 20:09:58 +1000
Subject: [PATCH] hardening href validation

---
 packages/shadcn-svelte/src/catalog.ts | 5 ++++-
 packages/shadcn/src/catalog.ts        | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/packages/shadcn-svelte/src/catalog.ts b/packages/shadcn-svelte/src/catalog.ts
index 51196083..29e05a81 100644
--- a/packages/shadcn-svelte/src/catalog.ts
+++ b/packages/shadcn-svelte/src/catalog.ts
@@ -401,7 +401,10 @@ export const shadcnComponentDefinitions = {
   Link: {
     props: z.object({
       label: z.string(),
-      href: z.string(),
+      href: z.union([
+        z.url({ protocol: /^(https?|mailto)$/ }),
+        z.string().regex(/^\/(?!\/)/),
+      ]),
     }),
     events: ["press"],
     description: "Anchor link. Bind on.press for click handler.",
diff --git a/packages/shadcn/src/catalog.ts b/packages/shadcn/src/catalog.ts
index 11fc6bcd..566b03e6 100644
--- a/packages/shadcn/src/catalog.ts
+++ b/packages/shadcn/src/catalog.ts
@@ -404,7 +404,10 @@ export const shadcnComponentDefinitions = {
   Link: {
     props: z.object({
       label: z.string(),
-      href: z.string(),
+      href: z.union([
+        z.url({ protocol: /^(https?|mailto)$/ }),
+        z.string().regex(/^\/(?!\/)/),
+      ]),
     }),
     events: ["press"],
     description: "Anchor link. Bind on.press for click handler.",