Possible XSS vulnerability without a content security bypass

## Summary: Hi security team members, Hope you are well and doing great :) I found a **Possible XSS vulnerability in https://dashboard.stripe.com but I was not able to bypass a content security policy.** Although, I don't have much knowledge about CSP and its bypasses. But, I read that you accept the XSS without a content security bypass. So, I'm reporting this to you. > Please note that we do accept and reward submissions for valid cross-site scripting vulnerabilities even if they are not accompanied by a bypass of our content security policy. Cross-site scripting vulnerabilities without a content security bypass will be assessed at a lower severity level than those with a bypass. ## Description: This occurs when you create a `custom link` with the `javascript://%0aalert(1)` through a [stripe app](https://marketplace.stripe.com/apps/custom-links). And, It gives a **CSP refused executing error** on clicking the custom link. ## Steps To Reproduce: 1. Install this `Custom Link` app:- https://marketplace.stripe.com/apps/custom-links 2. Now, Go to your products and then create a `Custom Link` with this `javascript://%0aalert(1)` as a link {F2076228} 3. Then, Once you click on the custom link that you just created. It will doesn't execute because of CSP. {F2076226} 4. You can verify this by opening your `Console`. ## Video POC: {F2076227} ## Impact If an attacker is able to bypass CSP then there is a possible XSS vulnerability in https://dashboard.stripe.com,.