From 5863d64d270c65f4d5f10b4ffcb84db542285106 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Tue, 10 Oct 2017 11:34:04 -0400
Subject: [PATCH] prevent inline js payloads from executing in outgoing page

---
 src/controllers/index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/controllers/index.js b/src/controllers/index.js
index dbd41d360c..aa3570b829 100644
--- a/src/controllers/index.js
+++ b/src/controllers/index.js
@@ -391,7 +391,7 @@ Controllers.manifest = function (req, res) {
 Controllers.outgoing = function (req, res, next) {
 	var url = req.query.url || '';
 
-	if (!url) {
+	if (!url || url.startsWith('javascript:')) {
 		return next();
 	}