Please sign in to comment.
Fix XSS with data:html links and form actions.
The academically correct way to filter out xlink hrefs should have been to use hasAttributeNS/getAttributeNS with the XLink namespace. But from my testing browsers don't care about that namespace at all, and only use the xlink: prefix. This means that even if you correctly specify a different prefix for the XLink NS, the links won't be detected by the browser. xlink: prefixes OTOH even work without specifying the XLink namespace in the XML document. Reported By: Liuzhu <firstname.lastname@example.org>
- Loading branch information...
Showing with 16 additions and 5 deletions.