iamcal
commented
1 year ago Thanks for the patch. I added a test case that this should exercise (broken on trunk, fixed by your patch)
I don't believe this would have ever been exploitable because [<>"] were already not allowed in the URL, but this should now (correctly) escape ampersands.
There's a cross-site scripting vulnerability in the title attribute, since we're already sanitizing
$link_urlfor the href attribute we can also do it for the title attribute as well