Topic on Extension talk:ExternalLinks

Hey, just wanted to let you know that there are some pretty obvious XSS flaws in this extension.

The variables $filterURL and $filterURLnot are fetched from the http request and put right back into the HTML without validation. Consider using the HTML class instead of raw HTML.

I think $request->getVal() has security checks built in: Manual:WebRequest.php