Closed skunkworks closed 6 years ago
skunkworks
commented
6 years ago We aren't able to be stricter with the protocols because "some internal apps" use sanitize-url to handle mobile app deep link URLs.
It does seem slightly safer to remove anything with javascript:, e.g. just make the regex .*javascript:.*. I'll go with that.
crookedneighbor
commented
6 years ago Not sure we want to make the regex .*javascript:.*..
I think including a : after a # can be a valid character. So http://example.com#myjavascript:foo is technically a valid url, but would be converted to about:blank. It's definitely an edge case, but one I think we should account for.
EvanHahn
commented
6 years ago Could you parse out the protocol and run the regular expression on that? You could also probably do this with a different regex.
Should we filter anything with
javascript:? Or could we be stricter about the protocols we allow?