Markdown links are not sanitized in chat #20
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Description
Markdown links allow unsafe URL schemes (such as javascript:, data:, and file:) to render as clickable links. The browser may display a warning or block execution, but the application itself does not sanitize or restrict these schemes before rendering. Protection is only at the browser level rather than at the application level. Potential XSS attack surface.
Steps to Reproduce
Expected Behavior
Actual Behavior
Environment