The main vulnerability of XSS in a method (PHP) after rejecting HTML tags seems to be that it allows such links:
[foo](javascript:alert('xss'))
which will turn into
<a href="javascript:alert('xss')">foo</a>
and the same goes for <img src="">.
I am currently developing a very simple Q & A section on the site and I am using markdown for questions and answers. I can say with confidence that the only legal use of links on this site will be http://or https://links.
If I change the use of regular expression labels to handle links and allow only URLs starting with characters httpwill prevent XSS attacks?
PS This is not part of my current question, but I would be very obliged if some soul showed me how to change a complex complex regular expression.
EDIT: I already read the PHP Markdown XSS Sanitizer , and the only reason I ask this question is because I am considering an alternative approach. My question is not “how to sanitize markdowns to prevent XSS,” but rather, “will this approach prevent XSS attacks”? So this is not a duplicate, this is an alternative. Moreover, does the fact that this question has not been confirmed shows that there are at least some people who are asking the same question as me, although the previous question exists?