typo3/sysext/fluid/Classes/ViewHelpers/Link/ExternalViewHelper.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/typo3/sysext/fluid/Classes/ViewHelpers/Link/ExternalViewHelper.php b/typo3/sysext/fluid/Classes/ViewHelpers/Link/ExternalViewHelper.php
index 7984537..6293a62 100644
--- a/typo3/sysext/fluid/Classes/ViewHelpers/Link/ExternalViewHelper.php
+++ b/typo3/sysext/fluid/Classes/ViewHelpers/Link/ExternalViewHelper.php
@@ -68,6 +68,12 @@ class ExternalViewHelper extends \TYPO3\CMS\Fluid\Core\ViewHelper\AbstractTagBas
         $uri = $this->arguments['uri'];
         $defaultScheme = $this->arguments['defaultScheme'];
 
+        // Disallow direct javascript: or data: links
+        list($prefix, $_) = explode(':', $uri, 2);
+        if (in_array(strtolower(trim($prefix)), ['javascript', 'data'], true)) {
+            return $this->renderChildren();
+        }
+
         $scheme = parse_url($uri, PHP_URL_SCHEME);
         if ($scheme === null && $defaultScheme !== '') {
             $uri = $defaultScheme . '://' . $uri;