Improve Blaze automatic URLs blocking

Now also blocks against `vbscript:` URLs in addition to `javascript:` URLs
2026-05-02 03:01:46 -04:00 · 2016-02-18 18:40:43 -08:00
parent d922c816be
commit 66d59bcba7
2 changed files with 6 additions and 2 deletions
--- a/History.md
+++ b/History.md
@@ -95,6 +95,9 @@
 * Don't throw in certain cases when calling a template helper with an
  empty data context. #5411 #5736

+* Improve automatic blocking of URLs in attribute values to also
+  include `vbscript:` URLs.
+
 ### Testing

 * Packages can now be marked as `testOnly` to only run as part of app
--- a/packages/blaze/attrs.js
+++ b/packages/blaze/attrs.js
@@ -267,8 +267,9 @@ var UrlHandler = AttributeHandler.extend({
      origUpdate.apply(self, args);
    } else {
      var isJavascriptProtocol = (getUrlProtocol(value) === "javascript:");
-      if (isJavascriptProtocol) {
-        Blaze._warn("URLs that use the 'javascript:' protocol are not " +
+      var isVBScriptProtocol   = (getUrlProtocol(value) === "vbscript:");
+      if (isJavascriptProtocol || isVBScriptProtocol) {
+        Blaze._warn("URLs that use the 'javascript:' or 'vbscript:' protocol are not " +
                    "allowed in URL attribute values. " +
                    "Call Blaze._allowJavascriptUrls() " +
                    "to enable them.");