Gregmolnar

**Name of the Vulnerable Software and Affected Versions** phlex versions prior to 1.10.1 phlex versions prior to 1.9.2 phlex versions prior to 1.8.3 phlex versions prior to 1.7.2 phlex versions prior to 1.6.3 phlex versions prior to 1.5.3 phlex versions prior to 1.4.2 **Description** There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. The filter to detect and prevent the use of the `javascript:` URL scheme in the `href` attribute of an `<a>` tag could be bypassed with tab `t` or newline ` ` characters between the characters of the protocol, e.g. `javatscript:`. If you render an `<a>` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user. **Recommendations** For versions prior to 1.10.1, update to version 1.10.1. For versions prior to 1.9.2, update to version 1.9.2. For versions prior to 1.8.3, update to version 1.8.3. For versions prior to 1.7.2, update to version 1.7.2. For versions prior to 1.6.3, update to version 1.6.3. For versions prior to 1.5.3, update to version 1.5.3. For versions prior to 1.4.2, update to version 1.4.2. As a temporary workaround, consider configuring a Content Security Policy that does not allow `unsafe-inline` to prevent this vulnerability from being exploited.