corex-ui · karim-semmoud · Jun 2, 2026 · Jun 2, 2026
diff --git a/assets/components/pagination.ts b/assets/components/pagination.ts
@@ -2,6 +2,7 @@ import { connect, machine, type Api, type Props } from "@zag-js/pagination";
 import type { IntlTranslations } from "@zag-js/pagination";
 import { VanillaMachine } from "@zag-js/vanilla";
 import { Component } from "../lib/core";
+import { isAllowedRedirectDestination } from "../lib/redirect";
 import { cloneTemplateChildren, getString } from "../lib/util";
 
 export class Pagination extends Component<Props, Api> {
@@ -184,7 +185,7 @@ export function applyPhoenixLinkAttrsToNavigableParts(rootEl: HTMLElement): void
 export function buildGetPageUrl(el: HTMLElement): Props["getPageUrl"] | undefined {
   const triggerType = getString(el, "type");
   const base = el.dataset.to;
-  if (triggerType !== "link" || !base) return undefined;
+  if (triggerType !== "link" || !base || !isAllowedRedirectDestination(base)) return undefined;
 
   const pageParam = el.dataset.pageParam ?? "page";
   const pageSizeParam = el.dataset.pageSizeParam ?? "page_size";

diff --git a/assets/test/component/component-pagination-matrix.test.ts b/assets/test/component/component-pagination-matrix.test.ts
@@ -74,6 +74,8 @@ describe("buildGetPageUrl matrix", () => {
     [{ type: "link", to: "/x", pageParam: "p", pageSizeParam: "ps" }, "p=3"],
     [{ type: "button", to: "/x" }, null],
     [{ type: "link" }, null],
+    [{ type: "link", to: "javascript:alert(1)" }, null],
+    [{ type: "link", to: "//evil.example" }, null],
   ] as const)("%#", (dataset, fragment) => {
     const getUrl = buildGetPageUrl(el(dataset as Record<string, string>));
     if (fragment == null) expect(getUrl).toBeUndefined();

diff --git a/assets/test/component/pagination.test.ts b/assets/test/component/pagination.test.ts
@@ -44,6 +44,11 @@ describe("buildGetPageUrl", () => {
   it("returns undefined for button type", () => {
     expect(buildGetPageUrl(el({ type: "button" }))).toBeUndefined();
   });
+
+  it("returns undefined for disallowed base URL", () => {
+    expect(buildGetPageUrl(el({ type: "link", to: "javascript:alert(1)" }))).toBeUndefined();
+    expect(buildGetPageUrl(el({ type: "link", to: "//evil.example" }))).toBeUndefined();
+  });
 });
 
 describe("applyPhoenixLinkAttrs", () => {

diff --git a/lib/components/pagination/connect.ex b/lib/components/pagination/connect.ex
@@ -24,7 +24,7 @@ defmodule Corex.Pagination.Connect do
       "data-sibling-count" => to_string(assigns.sibling_count),
       "data-boundary-count" => to_string(assigns.boundary_count),
       "data-type" => assigns.type,
-      "data-to" => assigns.to,
+      "data-to" => link_base_to(assigns),
       "data-page-param" => assigns.page_param,
       "data-page-size-param" => assigns.page_size_param,
       "data-redirect" => assigns.redirect,
@@ -37,6 +37,12 @@ defmodule Corex.Pagination.Connect do
     |> maybe_put_data_dir_from(assigns)
   end
 
+  defp link_base_to(%{to: to}) when is_binary(to) do
+    if Corex.Url.allowed_href?(to), do: to
+  end
+
+  defp link_base_to(_), do: nil
+
   defp translation_json(assigns) do
     case Map.get(assigns, :translation) do
       %PaginationTranslation{} = t ->

diff --git a/priv/static/chunks/chunk-6Q6MB27T.mjs → priv/static/chunks/chunk-HZLPIQBD.mjs b/priv/static/chunks/chunk-6Q6MB27T.mjs → priv/static/chunks/chunk-HZLPIQBD.mjs
@@ -49,6 +49,7 @@ function performRedirect(input, ctx) {
 }
 
 export {
+  isAllowedRedirectDestination,
   readDomItemRedirect,
   performRedirect
 };
diff --git a/priv/static/combobox.mjs b/priv/static/combobox.mjs
@@ -35,7 +35,7 @@ import {
 import {
   performRedirect,
   readDomItemRedirect
-} from "./chunks/chunk-6Q6MB27T.mjs";
+} from "./chunks/chunk-HZLPIQBD.mjs";
 import {
   getInteractionModality,
   setInteractionModality,

diff --git a/priv/static/corex.js b/priv/static/corex.js
@@ -13011,7 +13011,7 @@ var Corex = (() => {
     }
   });
 
-  // ../priv/static/chunks/chunk-6Q6MB27T.mjs
+  // ../priv/static/chunks/chunk-HZLPIQBD.mjs
   function isAllowedRedirectDestination(destination) {
     const trimmed = destination.trim();
     if (!trimmed) return false;
@@ -13059,8 +13059,8 @@ var Corex = (() => {
     return true;
   }
   var REDIRECT_MODES, SCHEME_PREFIX;
-  var init_chunk_6Q6MB27T = __esm({
-    "../priv/static/chunks/chunk-6Q6MB27T.mjs"() {
+  var init_chunk_HZLPIQBD = __esm({
+    "../priv/static/chunks/chunk-HZLPIQBD.mjs"() {
       "use strict";
       REDIRECT_MODES = ["href", "patch", "navigate"];
       SCHEME_PREFIX = /^[a-zA-Z][a-zA-Z0-9+.-]*:/;
@@ -13614,7 +13614,7 @@ var Corex = (() => {
       init_chunk_CNPBJL2G();
       init_chunk_NICWUGGL();
       init_chunk_FVGYE2AE();
-      init_chunk_6Q6MB27T();
+      init_chunk_HZLPIQBD();
       init_chunk_VDUSDBJS();
       init_chunk_I2HPUDHJ();
       init_chunk_77HPO22C();
@@ -27360,7 +27360,7 @@ ${err}`);
       "use strict";
       init_chunk_NICWUGGL();
       init_chunk_FVGYE2AE();
-      init_chunk_6Q6MB27T();
+      init_chunk_HZLPIQBD();
       init_chunk_VDUSDBJS();
       init_chunk_I2HPUDHJ();
       init_chunk_77HPO22C();
@@ -28722,7 +28722,7 @@ ${err}`);
       init_chunk_WJDVLJMP();
       init_chunk_B5L2AGOH();
       init_chunk_CNPBJL2G();
-      init_chunk_6Q6MB27T();
+      init_chunk_HZLPIQBD();
       init_chunk_VDUSDBJS();
       init_chunk_2WCNJX5P();
       init_chunk_2GQRP3FN();
@@ -31853,7 +31853,7 @@ ${err}`);
     var _a4, _b;
     const triggerType = getString(el, "type");
     const base = el.dataset.to;
-    if (triggerType !== "link" || !base) return void 0;
+    if (triggerType !== "link" || !base || !isAllowedRedirectDestination(base)) return void 0;
     const pageParam = (_a4 = el.dataset.pageParam) != null ? _a4 : "page";
     const pageSizeParam = (_b = el.dataset.pageSizeParam) != null ? _b : "page_size";
     return ({ page, pageSize }) => {
@@ -31931,6 +31931,7 @@ ${err}`);
     "../priv/static/pagination.mjs"() {
       "use strict";
       init_chunk_HWSJUKAB();
+      init_chunk_HZLPIQBD();
       init_chunk_77HPO22C();
       init_chunk_2WCNJX5P();
       init_chunk_2GQRP3FN();
@@ -34790,7 +34791,7 @@ ${err}`);
       init_chunk_CNPBJL2G();
       init_chunk_NICWUGGL();
       init_chunk_FVGYE2AE();
-      init_chunk_6Q6MB27T();
+      init_chunk_HZLPIQBD();
       init_chunk_VDUSDBJS();
       init_chunk_I2HPUDHJ();
       init_chunk_77HPO22C();
@@ -43656,7 +43657,7 @@ ${err}`);
       init_chunk_JDGMEOQK();
       init_chunk_SBA2GV3P();
       init_chunk_FVGYE2AE();
-      init_chunk_6Q6MB27T();
+      init_chunk_HZLPIQBD();
       init_chunk_77HPO22C();
       init_chunk_2WCNJX5P();
       init_chunk_2GQRP3FN();

diff --git a/priv/static/corex.min.js b/priv/static/corex.min.js
diff --git a/priv/static/listbox.mjs b/priv/static/listbox.mjs
@@ -10,7 +10,7 @@ import "./chunks/chunk-FVGYE2AE.mjs";
 import {
   performRedirect,
   readDomItemRedirect
-} from "./chunks/chunk-6Q6MB27T.mjs";
+} from "./chunks/chunk-HZLPIQBD.mjs";
 import "./chunks/chunk-VDUSDBJS.mjs";
 import {
   readStringListControlledZagProps,

diff --git a/priv/static/menu.mjs b/priv/static/menu.mjs
@@ -17,7 +17,7 @@ import {
 import {
   performRedirect,
   readDomItemRedirect
-} from "./chunks/chunk-6Q6MB27T.mjs";
+} from "./chunks/chunk-HZLPIQBD.mjs";
 import {
   getInteractionModality,
   setInteractionModality,

diff --git a/priv/static/pagination.mjs b/priv/static/pagination.mjs
@@ -1,6 +1,9 @@
 import {
   memo
 } from "./chunks/chunk-HWSJUKAB.mjs";
+import {
+  isAllowedRedirectDestination
+} from "./chunks/chunk-HZLPIQBD.mjs";
 import {
   createDomEventRegistry,
   createHookHandleEventRegistry
@@ -534,7 +537,7 @@ function applyPhoenixLinkAttrsToNavigableParts(rootEl) {
 function buildGetPageUrl(el) {
   const triggerType = getString(el, "type");
   const base = el.dataset.to;
-  if (triggerType !== "link" || !base) return void 0;
+  if (triggerType !== "link" || !base || !isAllowedRedirectDestination(base)) return void 0;
   const pageParam = el.dataset.pageParam ?? "page";
   const pageSizeParam = el.dataset.pageSizeParam ?? "page_size";
   return ({ page, pageSize }) => {

diff --git a/priv/static/select.mjs b/priv/static/select.mjs
@@ -26,7 +26,7 @@ import {
 import {
   performRedirect,
   readDomItemRedirect
-} from "./chunks/chunk-6Q6MB27T.mjs";
+} from "./chunks/chunk-HZLPIQBD.mjs";
 import {
   getInteractionModality,
   setInteractionModality,

diff --git a/priv/static/tree-view.mjs b/priv/static/tree-view.mjs
@@ -14,7 +14,7 @@ import {
 import {
   performRedirect,
   readDomItemRedirect
-} from "./chunks/chunk-6Q6MB27T.mjs";
+} from "./chunks/chunk-HZLPIQBD.mjs";
 import {
   createDomEventRegistry,
   createHookHandleEventRegistry

diff --git a/test/components/pagination_test.exs b/test/components/pagination_test.exs
@@ -184,6 +184,30 @@ defmodule Corex.PaginationTest do
       assert props["data-default-page-size"] == nil
       assert props["data-controlled-page-size"] == ""
     end
+
+    test "omits data-to for disallowed base URL" do
+      props =
+        Connect.props(%Corex.Pagination.Anatomy.Props{
+          id: "p1",
+          count: 100,
+          type: "link",
+          to: "javascript:alert(1)"
+        })
+
+      assert props["data-to"] == nil
+    end
+
+    test "includes data-to for allowed base URL" do
+      props =
+        Connect.props(%Corex.Pagination.Anatomy.Props{
+          id: "p1",
+          count: 100,
+          type: "link",
+          to: "/items"
+        })
+
+      assert props["data-to"] == "/items"
+    end
   end
 
   describe "set_page/2" do