Closed joebordes closed 1 year ago
To be clear, it is not left unmodified: the :
is converted to :
The result is a valid URL to a local file named javascript:alert(document.domain)
, all of which is legal. Do you have a browser which is actually interpreting this as JavaScript?
ah, I see. my code is reverting the &
change. ok, sorry for the noise and thanks for the support :-)
<a href="javascript:alert(document.domain)">XSShref1</a>
gets sanitized to
<a>XSShref1</a>
but
<a href="javascript:alert(document.domain)">XSShref2</a>
is left unmodified. Is that the expected behaviour of the library?