<p><a href="https://github.com/dismantl"><img src="https://avatars.githubusercontent.com/u/2007008?" align="left" width="48" height="48" hspace="10" style="max-width:100%;"></a> <strong>Comment by <a href="https://github.com/dismantl">dismantl</a></strong><br><em>Friday Oct 18, 2013 at 14:14 GMT</em></p>

<hr><p>testing link href <code>http://;javascript:alert(1);</code> did not trigger javascript on IE6, IE7, IE8, Firefox 24, or Chrome 28, so I am concluding that we only need to mitigate against simple javascript and data URIs.</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br>Reply to this email directly or <a href="https://github.com/opentechinstitute/luci-commotion/issues/330#issuecomment-46469500">view it on GitHub</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/3074564__eyJzY29wZSI6Ik5ld3NpZXM6QmVhY29uIiwiZXhwaXJlcyI6MTcxODczMjk2MCwiZGF0YSI6eyJpZCI6MzQ5ODEyMjl9fQ==--7c2883c87ef3be83aaa5d1bb34cfe84bc6f501b2.gif" width="1" /></p>