After Communicating with Microsoft, this was a security fix released on Microsoft Reporting Services (SSRS) version "16.0.9101.19239" (Product Version: 16.0.1116.38) on "2025/01/06"

• Information can be found here: https://learn.microsoft.com/en-us/sql/reporting-services/release-notes-reporting-services?view=sql-server-ver16#160910119239-20250106

Changed default SupportedHyperlinkSchemes advanced server property value to disallow JavaScript

to address it:

1. Connect to Server via SSMS

• open SSMS
• set "Server Type" to "Reporting Services"
• set Server name as "[Servername or localhost]\[SSRS INSTANCE NAME]" (example: SQL\SSRS)
• set Authentication as needed (usually Windows Authentication)

3. Set Server Properties

• Open Server Properties (Right-click on the Server > Properties)
• Go to Security Tab
• set "SupportedHyperlinkSchemes" to "*" (without "") - this will allow all URLs. if you have specific hyperlink schemes in use, you can put them here instead.

4. Restart SSRS