Links pasted as HTML are not validated with the `createLinkPlugin`'s `isUrl` option

[OliverWales]

Description

<a /> tags pasted as HTML are not validated before they are turned into links in the Plate editor. This means that malicious links e.g. <a href="javascript: alert('Hello')>Click me</a> can be pasted and can execute arbitrary JS on click.

Steps

1. Create a link with a JS href
2. Paste it into a Plate editor with the link plugin
3. Click on the link
4. JS is executed 😳

Sandbox

Any, e.g. https://platejs.org

Expectation

Pasted links are validated according to the isUrl option provided to the plugin and paste as text if invalid.

Funding

• You can sponsor this specific effort via a Polar.sh pledge below
• We receive the pledge once the issue is completed & verified

[OliverWales]

Closing as fixed by https://github.com/udecode/plate/pull/2240