One further issue we need to consider with this bug in particular is javascript: URLs. If you change the resource name to "javascript:alert(1)" you'll see that this code is still executed. We should probably be using 'reverse' to generate the URL to the resource?
Hi Julie, thanks for the patch.
One further issue we need to consider with this bug in particular is javascript: URLs. If you change the resource name to "javascript: alert(1) " you'll see that this code is still executed. We should probably be using 'reverse' to generate the URL to the resource?