It looks like kbin does check for and validate these. It hands back an “invalid URL” error if the mentioned javascript: schema in the bug report for lemmy is used.
EDIT: Though I didn’t try submitting to a lemmy instance and seeing whether kbin validates links coming in from federated systems rather than locally-submitted.
EDIT2: Honestly, this should be checked in clients too to avoid a malicious server they connect to directly feeding them XSS URLs. Like, probably warrants bug reports for all clients.
checks
It looks like kbin does check for and validate these. It hands back an “invalid URL” error if the mentioned javascript: schema in the bug report for lemmy is used.
EDIT: Though I didn’t try submitting to a lemmy instance and seeing whether kbin validates links coming in from federated systems rather than locally-submitted.
EDIT2: Honestly, this should be checked in clients too to avoid a malicious server they connect to directly feeding them XSS URLs. Like, probably warrants bug reports for all clients.