We were previously using a regex to try and strip scripts from the href value by checking for a value starting in data: or containing script:. After a couple of bypasses were found, we've now locked this down and are only allowing values that start with one of the following: https://, http://, / or #. This will fix the issues flagged in #31.
We were previously using a regex to try and strip scripts from the
href
value by checking for a value starting indata:
or containingscript:
. After a couple of bypasses were found, we've now locked this down and are only allowing values that start with one of the following:https://
,http://
,/
or#
. This will fix the issues flagged in #31.