fix: add validation (#1205)

* Update component.js

* Linting

* Updates

* Lint error

* Move logic to util func

* Address changes

Author: tajha17

src/library/zoid/message/component.js

@@ -144,7 +144,9 @@ export default createGlobalVariableGetter('__paypal_credit_message__', () =>
                         const { modal, index, account, merchantId, currency, amount, buyerCountry, onApply } = props;
                         const { offerType, offerCountry, messageRequestId, lander } = meta;
                         if (offerType === 'PURCHASE_PROTECTION') {
-                            getURIPopup(lander, offerType);
+                            if (getURIPopup(lander, offerType) == null) {
+                                logger.warn('Blocked unsafe lander URL', { lander });
+                            }
                         } else {
                             // Avoid spreading message props because both message and modal
                             // zoid components have an onClick prop that functions differently

src/utils/sdk.js

@@ -1,6 +1,5 @@
 /* eslint-disable eslint-comments/disable-enable-pair, no-else-return */
 import arrayFrom from 'core-js-pure/stable/array/from';
-
 import { getStorage as getBelterStorage } from '@krakenjs/belter/src';
 import { SDK_QUERY_KEYS, SDK_SETTINGS } from '@paypal/sdk-constants/src';
 import {
@@ -22,7 +21,6 @@ import {
     getDisableSetCookie as getSDKDisableCookie,
     getPageType as getSDKPageType
 } from '@paypal/sdk-client/src';
-
 import { TAG } from './constants';
 
 export function getDisableSetCookie() {
@@ -275,5 +273,18 @@ export function getFeatures(featureProps) {
 
 // open mini-browser with message lander url
 export function getURIPopup(lander, label) {
-    return window.open(lander, label, 'width=460,height=900');
+    try {
+        // eslint-disable-next-line compat/compat
+        const parsed = new URL(lander);
+        const isHttp = parsed.protocol === 'https:';
+        const isPayPalDomain = /\.paypal\.com$/i.test(parsed.hostname);
+
+        if (isHttp && isPayPalDomain) {
+            return window.open(lander, label, 'width=460,height=900');
+        } else {
+            return null;
+        }
+    } catch (e) {
+        return null;
+    }
 }