XSS in href attribute, issue a warning

[m1212e]

This (see code snippet below) currently works without any warning etc.
Imagine test being user input. Since many developers just use frameworks for the comfort to not having to think about XSS and other security relevant things, maybe it would be a good idea to at least issue a warning to the console when this occurs? React acutally made this deprecated and plans to make it stop working.

<script lang="ts">
	let test = `javascript:alert('1')`;
</script>

<main>
	<a href={test}>test</a>
</main>

[mohe2015]

@m1212e have you found resources for general mitigation? Because the OWASP sheets don't seem to contain good general advice in this specific case.

[mohe2015]

I could probably look at any good html sanitizer

[m1212e]

It caught my attention while reading this article: https://lolware.net/blog/react-xss-protection-cheat-sheet/
All it says is basically: Parse user input. So thats probably what should be done.

[pngwn]

We will not be addressing this in Svelte itself. We would need to add runtime checks to Svelte for it to be robust and there are better solutions to this problem. Security is down to the user.

SvelteKit is the right place to solve this problem.