shakesoda
commented
10 years ago Blacklisted the javascript scheme (parse_url is handy) in recent commits.
I'd rather try to only kill things that are actually harmful, and relative links are particularly handy for the wiki... maybe I should just add a [wiki] tag or something.
Scumbag RFC is too flexible for this. XXS is standards compilant :(
Only allowing absolute urls and limiting the list of usable protocols, could work.
Relative paths are easily broken by the url rewrite anyway. Domain relative and protocol relative urls will not be possible but people who use them have l33t h4x0r skills anyway so they could easily fix the url.