
XSS vuln on beta.minecraft.net - _jomo
https://bugs.mojang.com/browse/WEB-268
======
_jomo
Are there actually any valid use cases for this?

    
    
        window.location.href = "javascript:..."
    

I assume there are hundreds of websites that also blindly pass a URL parameter
to it. Most developers simply don't expect that a redirect is something they
have to sanitize.

Why do browsers allow this at all?

