A JavaScript payload such as “javascript:alert(1)” in a URL could cause a Cross-Site Scripting (XSS) vulnerability. According to the commit message (see references): “wp_kses_bad_protocol()
makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.”
javascript:alert(1)