From 3e180163dd07dd871a6d363f66acb86bec4be43f Mon Sep 17 00:00:00 2001
From: Brian Musakwa <digreatbrian@gmail.com>
Date: Sun, 15 Mar 2026 13:39:05 +0200
Subject: [PATCH] Potential fix for code scanning alert no. 7: DOM text
 reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 docs/source/_static/js/version-picker.js | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/docs/source/_static/js/version-picker.js b/docs/source/_static/js/version-picker.js
index e693a45..e370824 100644
--- a/docs/source/_static/js/version-picker.js
+++ b/docs/source/_static/js/version-picker.js
@@ -56,7 +56,25 @@ document.addEventListener("DOMContentLoaded", function () {
 
   // Navigate to the selected version on change
   dropdown.addEventListener("change", function () {
-    window.location.href = this.value;
+    const selectedValue = this.value;
+    if (!selectedValue) {
+      return;
+    }
+
+    try {
+      // Normalize relative URLs against the current origin
+      const targetUrl = new URL(selectedValue, window.location.origin);
+
+      // Only allow navigation to http(s) URLs
+      if (targetUrl.protocol === "http:" || targetUrl.protocol === "https:") {
+        window.location.href = targetUrl.toString();
+      } else {
+        console.error("Blocked navigation to unsafe URL scheme:", targetUrl.href);
+      }
+    } catch (e) {
+      // If the value is not a valid URL, do not navigate
+      console.error("Invalid URL in version picker:", selectedValue, e);
+    }
   });
 
   // Add elements to the version picker