The vector is:
javascript://www.xss.com?%0aalert%281%29
The regular expression you are using happily parse the above vector and attacker can execute JavaScript. The easiest fix would be instead of having a-z and A-Z in regular expression ... It should be something like http or https ...
Hi,
XSS is possible in URL function that is available here: https://github.com/frozeman/feindura-flat-file-cms/blob/527920f665ba0ace68e5f22a1ddc7de078108504/library/classes/XssFilter.class.php#L410
The vector is:
javascript://www.xss.com?%0aalert%281%29The regular expression you are using happily parse the above vector and attacker can execute JavaScript. The easiest fix would be instead of having a-z and A-Z in regular expression ... It should be something like http or https ...