naughtyHref always allows hrefs with empty schemes

[dbkr]

This means that links of the form, "//example.com/nasty.js" will always be accepted, essentially allowing links to whatever scheme to host page is served over. In practice, this means it's possible to link to http(s) content even if neither 'http' not 'https' are in allowedSchemes / allowedSchemesByTag.

[boutell]

Hmm.

"Protocol-relative" is not a scheme. But it is a thing that someone might reasonably want to disable, yes.

I guess it would make sense to provide an option to cover this:

allowProtocolRelative

Which would be true by default, for backwards compatibility.

A PR would certainly be welcome.

[simison]

@boutell This can probably be closed since allowProtocolRelative is now in:

4c229fb

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.