A JavaScript payload such as "javascript:alert(1)" in a URL could cause a Cross-Site Scripting (XSS) vulnerability. According to the commit message (see references): "`wp_kses_bad_protocol()` makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function."
javascript:alert(1)
WordPress.org Security Team
No
2019-12-13 (about 3 years ago)
2020-01-04 (about 3 years ago)
2020-09-22 (about 2 years ago)