We were previously using a regex to try and strip scripts from the href value by checking for a value starting in data: or containing script:. After a couple of bypasses were found, we've now locked this down and are only allowing values that start with one of the following: https://, http://, / or #. This will fix the issues flagged in #31.
We were previously using a regex to try and strip scripts from the
hrefvalue by checking for a value starting indata:or containingscript:. After a couple of bypasses were found, we've now locked this down and are only allowing values that start with one of the following:https://,http://,/or#. This will fix the issues flagged in #31.