Merge pull request #185 from phihag/safemode-no-javascript-urls

Prevent javascript:// URLs

3 files changed, 8 insertions, 0 deletions

diff --git a/markdown/inlinepatterns.py b/markdown/inlinepatterns.py
index a1b264c..1ebb310 100644
--- a/markdown/inlinepatterns.py
+++ b/markdown/inlinepatterns.py
@@ -364,6 +364,9 @@ class LinkPattern(Pattern):
                 # Not a safe url
                 return ''
 
+        if scheme == 'javascript':
+            return ''
+
         # Url passes all tests. Return url as-is.
         return urlunparse(url)
 
diff --git a/tests/safe_mode/link-targets.html b/tests/safe_mode/link-targets.html
new file mode 100644
index 0000000..768ae5b
--- /dev/null
+++ b/tests/safe_mode/link-targets.html
@@ -0,0 +1,2 @@
+<p><a href="">XSS</a>
+See http://security.stackexchange.com/q/30330/1261 for details.</p>
\ No newline at end of file
diff --git a/tests/safe_mode/link-targets.txt b/tests/safe_mode/link-targets.txt
new file mode 100644
index 0000000..10eebda
--- /dev/null
+++ b/tests/safe_mode/link-targets.txt
@@ -0,0 +1,3 @@
+[XSS](javascript://%0Aalert%28'XSS'%29;)
+See http://security.stackexchange.com/q/30330/1261 for details.
+