Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix #17297: XSS in string_insert_hrefs
The URL matching regex in the function did not validate the protocol, allowing an attacker to use 'javascript://' to execute arbitrary code. Issue was discovered by Mathias Karlsson (http://mathiaskarlsson.me) and reported by Offensive Security (http://www.offensive-security.com/).
- Loading branch information