Wrap decodeURIComponent in try-catch to protect against malformed URIs

src/linkify-matrix.js

@@ -254,12 +254,16 @@ matrixLinkify.options = {
 
     target: function(href, type) {
         if (type === 'url') {
+            try {
                 const transformed = tryTransformPermalinkToLocalHref(href);
                 if (transformed !== href || decodeURIComponent(href).match(matrixLinkify.ELEMENT_URL_PATTERN)) {
                     return null;
                 } else {
                     return '_blank';
                 }
+            } catch (e) {
+                // malformed URI
+            }
         }
         return null;
     },

src/utils/permalinks/Permalinks.ts

@@ -346,10 +346,15 @@ export function tryTransformPermalinkToLocalHref(permalink: string): string {
         return permalink;
     }
 
+    try {
         const m = decodeURIComponent(permalink).match(matrixLinkify.ELEMENT_URL_PATTERN);
         if (m) {
             return m[1];
         }
+    } catch (e) {
+        // Not a valid URI
+        return permalink;
+    }
 
     // A bit of a hack to convert permalinks of unknown origin to Element links
     try {