cloudflare / vinext
fix: block dangerous URI schemes in Link and Form components (#174)
Block javascript:, data:, and vbscript: URI schemes in the Link href
and Form action props. Handles evasion techniques including mixed case,
leading whitespace, and zero-width characters.
Link renders an inert <a> without href. Form renders without action
(submits to current page). Both warn in dev mode.
Shared isDangerousScheme() utility in url-safety.ts for consistency.
Based on the work by @kochrac in #142.
Steve Faulkner
committed on Feb 27, 2026, 07:48 PM
Showing 3 changed files
+61 additions
-0 deletions