diff --git a/package-lock.json b/package-lock.json
index 6647b41..f1471b7 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -30089,7 +30089,7 @@
         },
         "packages/ui-extensions-react": {
             "name": "@doist/ui-extensions-react",
-            "version": "12.0.0",
+            "version": "12.0.1",
             "license": "MIT",
             "dependencies": {
                 "classnames": "^2.3.1",
diff --git a/packages/ui-extensions-react/package.json b/packages/ui-extensions-react/package.json
index f384b51..0d29a61 100644
--- a/packages/ui-extensions-react/package.json
+++ b/packages/ui-extensions-react/package.json
@@ -1,6 +1,6 @@
 {
     "name": "@doist/ui-extensions-react",
-    "version": "12.0.0",
+    "version": "12.0.1",
     "author": "Doist",
     "license": "MIT",
     "main": "dist/index.js",
diff --git a/packages/ui-extensions-react/src/components/adaptive-card/AdaptiveCardRenderer.tsx b/packages/ui-extensions-react/src/components/adaptive-card/AdaptiveCardRenderer.tsx
index ca9987d..9d2469c 100755
--- a/packages/ui-extensions-react/src/components/adaptive-card/AdaptiveCardRenderer.tsx
+++ b/packages/ui-extensions-react/src/components/adaptive-card/AdaptiveCardRenderer.tsx
@@ -61,6 +61,28 @@ export function registerMarkdownParser(markdownParser: (text: string) => string)
     }
 }
 
+/**
+ * Protects against XSS attacks by validating the URL.
+ * @param url
+ * @returns
+ */
+function isValidUrl(url: string): boolean {
+    try {
+        // Parse the URL using the URL constructor
+        const parsedUrl = new URL(url)
+
+        // Check for allowed protocols
+        if (parsedUrl.protocol === 'http:' || parsedUrl.protocol === 'https:') {
+            return true
+        } else {
+            return false
+        }
+    } catch {
+        // If URL constructor throws an error, it's an invalid URL
+        return false
+    }
+}
+
 /**
  * To support markdown, register a markdown parser via `registerMarkdownParser`
  * @see registerMarkdownParser
@@ -97,7 +119,7 @@ export function AdaptiveCardRenderer({
         try {
             const inputs = adaptiveCard.getAllInputs()
             const inputsObject = getInputObject(inputs)
-            if (action instanceof OpenUrlAction && action.url) {
+            if (action instanceof OpenUrlAction && action.url && isValidUrl(action.url)) {
                 window.open(action.url, '_blank')
             } else if (action instanceof ClipboardAction && action.text) {
                 clipboardHandler(action.text)