CF7 strip_tags commented?

Is there a reason the strip_tags call in this function has been commented out in /plugins/system/chronog3_plg/chronog3/libs/url.php? Everything seems okay when I uncomment and return the strip_tags rather than the raw $pageURL, but I just want to make sure there isn't something I'm missing.

public static function current(){
	$pageURL = self::domain();
	$pageURL .= self::path();
	return $pageURL;//strip_tags(htmlspecialchars($pageURL));
}

what is the problem you are having with the code commented ?

Currently the component outputs this line as part of its JS:

setInterval(function(){jQuery.get("https://www.example.com/formpage?field_name=value");}, 300000);

This bit of code set off an XSS audit for us. It calls the Url::current() method from the original post, and returns the page URL, not encoded. This isn't a problem in most browsers as they'll encode the URL automatically before requesting the page (causing Url::current() to return an encoded URL). But if this pre-encoding isn't done, it allows something like:

Requesting

https://www.example.com/formpage?field_name=");alert("0

Which causes the generated line to be

setInterval(function(){jQuery.get("https://www.example.com/formpage?field_name=");alert("0");}, 300000);

Which would execute the alert() call.

The strip_tags call that already exists in the Url.php file (but is commented out) fixes the issue. I just want to double check that there isn't an issue with switching to returning the strip_tags call in Url::current rather than just directly returning $pageUrl. Specifically, changing the code from the original post in Url.php to the following:

public static function current(){
	$pageURL = self::domain();
	$pageURL .= self::path();
	return strip_tags(htmlspecialchars($pageURL));
}

I can not remember now why this was commented out because that was sometime ago, but you can uncomment it and test your forms to find if it has any negative effects