Potential XSS vector in curl via unsanitized URL parameter handling

Description Summary: During the analysis of the curl source code, a possible vector for Cross-Site Scripting (XSS) was identified through the glob_url() function and how URL input is handled via urlnode->url. Improper input validation or escaping could result in untrusted data being processed insecurely. Affected version: Latest GitHub clone of curl/curl. Tested on: Kali Linux (VirtualBox) Version command: curl -v Steps To Reproduce: Clone the repository: git clone https://github.com/curl/curl.git cd curl Search vulnerable code references: grep -rn "glob_url" src/ grep -rn "urlnode" src/ grep -rn "strcpy" src/ Try payloads in real requests using encoded XSS strings: curl "http://test.com?param=%3Cscript%3Ealert(1)%3C/script%3E" -w "%{url_effective}" Observe the failure behavior and how the payload is processed or rejected (301 redirect, malformed input, reflected parts, etc.). Supporting Material/References: Terminal output with code search and payload attempts: glob_url() usage and unsafe patterns Attempts to inject payloads with curl Screenshots attached for reference ## Impact Impact If successfully exploited, this flaw could lead to XSS through insecure processing of user-controlled URLs. An attacker could: Steal session cookies or tokens Redirect victims to malicious sites Execute code in the browser context Perform phishing or social engineering attacks This issue becomes critical in contexts where curl is embedded in user-facing applications, CLI tools processing user input, or CI pipelines consuming untrusted URLs.