diff --git a/packages/editor/src/core/extensions/custom-link/extension.tsx b/packages/editor/src/core/extensions/custom-link/extension.tsx
index a00585b8848..0b102264258 100644
Binary files a/packages/editor/src/core/extensions/custom-link/extension.tsx and b/packages/editor/src/core/extensions/custom-link/extension.tsx differ
diff --git a/packages/editor/src/core/extensions/custom-link/helpers/clickHandler.ts b/packages/editor/src/core/extensions/custom-link/helpers/clickHandler.ts
index f101f4c5bd6..98c795cea3d 100644
--- a/packages/editor/src/core/extensions/custom-link/helpers/clickHandler.ts
+++ b/packages/editor/src/core/extensions/custom-link/helpers/clickHandler.ts
@@ -40,6 +40,16 @@ export function clickHandler(options: ClickHandlerOptions): Plugin {
         const target = link?.target ?? attrs.target;
 
         if (link && href) {
+          // Defence-in-depth: link.href is the browser-resolved URL (whitespace
+          // already stripped by the browser's WHATWG URL parser), so a protocol
+          // check here is sufficient to catch any dangerous URI that slipped past
+          // the editor's parse/render-time guards. Matches the blocked-scheme list
+          // in isValidHttpUrl (javascript:, data:, vbscript:, file:, about:)
+          // to keep the policy consistent (GHSA-v2vv-7wq3-8w2j).
+          if (/^(javascript|data|vbscript|file|about):/i.test(href)) {
+            return false;
+          }
+
           window.open(href, target);
 
           return true;