Closed skunkworks closed 6 years ago
We aren't able to be stricter with the protocols because "some internal apps" use sanitize-url
to handle mobile app deep link URLs.
It does seem slightly safer to remove anything with javascript:
, e.g. just make the regex .*javascript:.*
. I'll go with that.
Not sure we want to make the regex .*javascript:.*.
.
I think including a :
after a #
can be a valid character. So http://example.com#myjavascript:foo
is technically a valid url, but would be converted to about:blank
. It's definitely an edge case, but one I think we should account for.
Could you parse out the protocol and run the regular expression on that? You could also probably do this with a different regex.
Should we filter anything with
javascript:
? Or could we be stricter about the protocols we allow?