Bypass "No Links" Restriction in Biography via Protocol-Relative URL (//)

Program: Mozilla Bug Type: Improper Input Validation Bounty: Unspecified Date: 2025-06-03

input-validation html-injection bypass url-scheme frontend content-restriction

Summary

In addons.allizom.org (a website for android addons), the user has a profile where he can add a bio. It only allows adding certain html tags: Some HTML supported: . Links are forbidden.

But an tag can be added with a functional hyperlink (starts with "//") payload: click This will successfully display the click hyperlink in bio.

References

https://hackerone.com/reports/3175695

← Back to Reports