Closed diegocr closed 5 years ago
Thanks for your PR.
The regex match is already filtering any HTML tags />(https?:\/\/[^<]+)<\/li>/g
. I am not sure if there will be any HTML to escape in the links?
Yeah, i was being paranoid here... in theory you're right, but you could also prevent double quotes to avoid malformed HTML, which may or may not could turn to be exploitable...
What about filtering the double quotes in the regex />(https?:\/\/[^<"]+)<\/li>/g
?
You could do that, however personally i would opt for a more strict and specific filtering at the time we do concatenate strings, specially those behind a jQuery.html()
- and the like - function invocation.
We still need to filter the unrelated links anyway which will be done via JQuery parse HTML so it will be managed in a different way.
I will close this. Please reopen if needed.
</paranoid>