node-blade icon indicating copy to clipboard operation
node-blade copied to clipboard

Published 20 hours ago verified publisher icon bminer

Prevent injecting JavaScript into `href` attribute on `a` tag

Open bminer opened this issue 11 years ago • 2 comments

Prevent stuff like <a href="javascript:blah">blah</a>

bminer avatar May 01 '14 23:05 bminer

I love bookmarklets. Preventing this would make it impossible for someone to serve bookmarklets through a Blade template! (Witness my awesome bookmarklets and how badly they need a templating engine here. :dizzy_face:)

That use-case is very small. But perhaps you could make it an option so that it can be disabled if needed.

(Also, some people like to write Javascript event handlers that way. We might agree that it is dirty and wrong, but occasionally it might be desirable, e.g. porting an old site over to Blade, doing the migration before fixing the handlers!)

joeytwiddle avatar May 12 '14 07:05 joeytwiddle

I agree with you; this should be a configurable option in Blade (perhaps even off by default). I just opened the issue so that I wouldn't forget about it later.

bminer avatar May 12 '14 14:05 bminer