diff --git a/apps/client/src/lib/config.ts b/apps/client/src/lib/config.ts
index bc40020b..67bbe100 100644
--- a/apps/client/src/lib/config.ts
+++ b/apps/client/src/lib/config.ts
@@ -1,6 +1,7 @@
 import bytes from "bytes";
 import { castToBoolean } from "@/lib/utils.tsx";
 import { AvatarIconType } from "@/features/attachments/types/attachment.types.ts";
+import { sanitizeUrl } from "@docmost/editor-ext";
 
 declare global {
   interface Window {
@@ -66,7 +67,7 @@ export function getFileUrl(src: string) {
   if (src.startsWith("/files/")) {
     return getBackendUrl() + src;
   }
-  return src;
+  return sanitizeUrl(src);
 }
 
 export function getFileUploadSizeLimit() {
diff --git a/apps/server/src/core/attachment/services/attachment.service.ts b/apps/server/src/core/attachment/services/attachment.service.ts
index bc6a1e36..6419ed58 100644
--- a/apps/server/src/core/attachment/services/attachment.service.ts
+++ b/apps/server/src/core/attachment/services/attachment.service.ts
@@ -70,8 +70,8 @@ export class AttachmentService {
       }
 
       if (
-        existingAttachment.pageId !== pageId &&
-        existingAttachment.fileExt !== preparedFile.fileExtension &&
+        existingAttachment.pageId !== pageId ||
+        existingAttachment.fileExt !== preparedFile.fileExtension ||
         existingAttachment.workspaceId !== workspaceId
       ) {
         throw new BadRequestException('File attachment does not match');
diff --git a/packages/editor-ext/src/lib/attachment/attachment.ts b/packages/editor-ext/src/lib/attachment/attachment.ts
index a1e851a4..cc346a52 100644
--- a/packages/editor-ext/src/lib/attachment/attachment.ts
+++ b/packages/editor-ext/src/lib/attachment/attachment.ts
@@ -1,5 +1,6 @@
 import { Node, mergeAttributes } from "@tiptap/core";
 import { ReactNodeViewRenderer } from "@tiptap/react";
+import { sanitizeUrl } from "../utils";
 
 export interface AttachmentOptions {
   HTMLAttributes: Record<string, any>;
@@ -42,9 +43,12 @@ export const Attachment = Node.create<AttachmentOptions>({
     return {
       url: {
         default: "",
-        parseHTML: (element) => element.getAttribute("data-attachment-url"),
+        parseHTML: (element) => {
+          const url = element.getAttribute("data-attachment-url");
+          return sanitizeUrl(url);
+        },
         renderHTML: (attributes) => ({
-          "data-attachment-url": attributes.url,
+          "data-attachment-url": sanitizeUrl(attributes.url),
         }),
       },
       name: {
@@ -101,7 +105,7 @@ export const Attachment = Node.create<AttachmentOptions>({
       [
         "a",
         {
-          href: HTMLAttributes["data-attachment-url"],
+          href: sanitizeUrl(HTMLAttributes["data-attachment-url"]),
           class: "attachment",
           target: "blank",
         },