Sanitize `file:` protocol in escapeHTML
Opened this issue · 0 comments
mmichaelis commented
Despite data:
and javascript:
as well-known attack-vectors for XSS, the file:
protocol may also cause malicious behavior. I think, it is rather safe (thus, backward-compatible) to also escape it here:
Only for local use of BBob, the file:
protocol may be relevant. Thus, for full backward-compatiblity, we would require to add some flag to the options.