Incomplete URL scheme check¶
URLs starting with
vbscript: schemes can be used to represent executable code in a very similar way, so any validation logic that checks against
vbscript:, is likely to be insufficient.
Add checks covering both
The following function validates a (presumably untrusted) URL
url. If it starts with
about:blank is returned to prevent code injection; otherwise
url itself is returned.
While this check provides partial projection, it should be extended to cover
vbscript: as well: