VBScript is deprecated, and IE11 has it disabled by default since July 2019. Yet, users with outdated versions of IE or Windows could potentially be victims of VBScript based XSS attacks.
I'm not sure what the current browser support for this lib is, but regardless, it looks like disallowing VBScript as a protocol could be easily achieved.
I'd be happy to make a PR in case you're interested in also disallowing it.
VBScript is deprecated, and IE11 has it disabled by default since July 2019. Yet, users with outdated versions of IE or Windows could potentially be victims of VBScript based XSS attacks. I'm not sure what the current browser support for this lib is, but regardless, it looks like disallowing VBScript as a protocol could be easily achieved. I'd be happy to make a PR in case you're interested in also disallowing it.