f2c4f9bdc2
The href, and in some browser also the src attrs on img, or a tags can be made to execute JS rather easily, catch thoseand just remove the attr if, after creating an URL object from it, it does not looks like it's a http(s) request. Further, filter out the style tag completely, as that can be misused too, even if only to break cosmetics. Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>