bernhardreiter
commented
1 month ago Got the hint that https://github.com/secvisogram/secvisogram/pull/511/files solves a similar problem. However the solution there supports more URL schemes. We only support "http" and "https". (And there is no indication in CSAF 2.0 that other schemes are useful. Maybe mailto, but this can easily be added.)
Some URLs in the CSAF document are rendered with a-elements so that they're cliackable. This is problematic for e.g.
javascript:URLs because clicking on them will execute the JavaScript code. The URL contents are also shown as the text content of the a-element so it's pretty obvious that the URL might be dangerous, but it would be better to restrict clickable URLs to reasonably safe protocols likehttp:andhttps: