XSS vulnerability in URL tags

[Nisto]

I believe javascript: URLs ought to be filtered. URL tags currently allows embedding malicious inline scripts:

$bbcode = new ChrisKonnertz\BBCode\BBCode();

echo $bbcode->render("[url=javascript:alert('hacked')]malicious link[/url]");

[ui0ppk]

tbh i plan to make a pull to fix it

[ui0ppk]

im a few months late on this but if anyone cares to do it just make it allow specific urls or disallow (like a whitelist or blacklist)