diff --git a/packages/click-to-react-component/src/ClickToComponent.js b/packages/click-to-react-component/src/ClickToComponent.js
index 7ed3ea5..416ce33 100644
--- a/packages/click-to-react-component/src/ClickToComponent.js
+++ b/packages/click-to-react-component/src/ClickToComponent.js
@@ -18,6 +18,8 @@ export const State = /** @type {const} */ ({
   SELECT: 'SELECT',
 })
 
+const isJavaScriptProtocol = /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i
+
 /**
  * @param {Props} props
  */
@@ -48,6 +50,10 @@ export function ClickToComponent({ editor = 'vscode', pathModifier }) {
         })
 
         event.preventDefault()
+        if (isJavaScriptProtocol.test(url)) {
+          console.warn(`ClickToComponent has blocked a javascript: URL as a security precaution`);
+          return;
+        }
         window.location.assign(url)
 
         setState(State.IDLE)
@@ -63,7 +69,10 @@ export function ClickToComponent({ editor = 'vscode', pathModifier }) {
           editor,
           pathToSource: returnValue,
         })
-
+        if (isJavaScriptProtocol.test(url)) {
+          console.warn(`ClickToComponent has blocked a javascript: URL as a security precaution`);
+          return;
+        }
         window.location.assign(url)
       }