<p>testing link href <code>http://;javascript:alert(1);</code> did not trigger javascript on IE6, IE7, IE8, Firefox, or Chrome, so I am concluding that we only need to mitigate against simple javascript and data URIs.</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br>Reply to this email directly or <a href='https://github.com/opentechinstitute/luci-commotion-apps/issues/12#issuecomment-26598689'>view it on GitHub</a>.<img src='https://github.com/notifications/beacon/HSS0tS4nfORw_XnPQF8f0aN3i5bXfhozh_5bDAr3Nkjt8P-rPFYD0S_1YZ1oaUjQ.gif' height='1' width='1'></p>