F-2025-0004·input-validation
Inadequate URL protocol whitelist in link sanitization
TL;DR
The link sanitization utility allowed protocol schemes beyond http(s), including dangerous schemes like javascript: that could execute arbitrary code when followed.
Severity
MEDIUM
Impact
MEDIUM
Likelihood
MEDIUM
Method
MManual review
CAT.
Complexity
LOW
Exploitability
MEDIUM
02Section · Description
Description
The widget's link sanitization function used an insufficient protocol whitelist. Schemes such as javascript: and data: could pass through and produce dangerous behavior when followed by the user (XSS via javascript: URLs, content injection via data: URIs).
03Section · Recommendation
Recommendation
Reduce the protocol whitelist to https: (and http: only if necessary). Reject all others including javascript:, data:, vbscript:, and unknown schemes.
Initia: Resolved. Pashov Audit Group: Resolved.
Status
Fixed
Fix commit
de9d3602dc1a
Fix date
2025-06-23