@braintree/sanitize-url
Advanced tools
Changelog
6.0.0
Breaking Changes
// decodes to javacript:alert('XSS')
const vulnerableUrl =
"javascript:alert('XSS')";
sanitizeUrl(vulnerableUrl); // 'about:blank'
const okUrl = "https://example.com/" + vulnerableUrl;
// since the javascript bit is in the path instead of the protocol
// this is successfully sanitized
sanitizeUrl(okUrl); // 'https://example.com/javascript:alert('XSS');
Changelog
5.0.2
Changelog
5.0.1
Changelog
4.0.0
Breaking Changes
about:blank
(Thanks @chawes13 #18)