User Controllable URL
There are certain HTML attributes with a value type of URI, for example,
href in the
a tag or
src in the
img tag. Depending on the type of the element, the browser may display the contents of this URI, execute scripts on the URI or send user-supplied data to the URI in the attribute.
When an application directly uses the input from the user on these attributes, a malicious user can control the behavior of the browser. This can lead to an XSS or Phishing attack.
You might need to change the application logic to avoid using direct user input as URI in HTML attributes.