When I click that link in the url field, I get an alert saying the URL is unsafe and could potentially be harmful and asking me whether I really want to open it, precisely because it would run the JS if followed. Are you not getting that alert?
Indeed, I don't see any problem. This seems to be working as expected...
Group: core-security → bugzilla-security
Component: Security → General
Product: Core → bugzilla.mozilla.org
Version: unspecified → Production
A warning is thrown for any unsafe or unrecognized values entered in the URL field before the value is used. So I don't see as this being a concern as the user is properly warned. dkl
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → INVALID
Sorry for this, I should have checked that proper URLs don't need confirmations. But why keeping this, and not filtering it like Bug URLS (cant submit if no http or https)?
You need to log in before you can comment on or make changes to this bug.