Anubis vulnerable to possible XSS via redir parameter when using subrequest auth mode
When using subrequest authentication, Anubis did not perform validation of the redirect URL and redirects user to any URL scheme. While most modern browsers do not allow a redirect to javascript: URLs, it could still trigger dangerous behavior in some cases. GET https://example.com/.within.website/?redir=javascript:alert() responds with Location: javascript:alert().