🐛 Bug Fix
- Security / sanitizeHTMLElement (
javascript:link XSS, CWE-79/83): thehrefsafety check used a barehref.trim().indexOf('javascript') === 0— unlike theisDangerousUrlnormalization applied to every other URL attribute, it was case-sensitive and did not strip control bytes, tabs or newlines. So a dangeroushrefsurvived sanitization (and persisted in the storededitor.value) when the scheme was upper/mixed-case (JAVASCRIPT:), prefixed by a C0 control byte (\x01javascript:), or split by an embedded tab/newline (java\tscript:) — all of which a browser still resolves tojavascript:on click, executing attacker script in any page that renders the stored value.hrefis now routed through the sameisDangerousUrlnormalization (strips control characters and lowercases before matching the scheme), so these obfuscations are neutralized like every other URL attribute. Affected all versions through 4.12.30. Responsibly reported by Younghun Ko of AhnLab (@koyokr) (GHSA-j839-gqq4-gf9j).