aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--markdown/inlinepatterns.py3
-rw-r--r--tests/safe_mode/link-targets.html2
-rw-r--r--tests/safe_mode/link-targets.txt3
3 files changed, 8 insertions, 0 deletions
diff --git a/markdown/inlinepatterns.py b/markdown/inlinepatterns.py
index a1b264c..1ebb310 100644
--- a/markdown/inlinepatterns.py
+++ b/markdown/inlinepatterns.py
@@ -364,6 +364,9 @@ class LinkPattern(Pattern):
# Not a safe url
return ''
+ if scheme == 'javascript':
+ return ''
+
# Url passes all tests. Return url as-is.
return urlunparse(url)
diff --git a/tests/safe_mode/link-targets.html b/tests/safe_mode/link-targets.html
new file mode 100644
index 0000000..768ae5b
--- /dev/null
+++ b/tests/safe_mode/link-targets.html
@@ -0,0 +1,2 @@
+<p><a href="">XSS</a>
+See http://security.stackexchange.com/q/30330/1261 for details.</p> \ No newline at end of file
diff --git a/tests/safe_mode/link-targets.txt b/tests/safe_mode/link-targets.txt
new file mode 100644
index 0000000..10eebda
--- /dev/null
+++ b/tests/safe_mode/link-targets.txt
@@ -0,0 +1,3 @@
+[XSS](javascript://%0Aalert%28'XSS'%29;)
+See http://security.stackexchange.com/q/30330/1261 for details.
+
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-05 13:33:12 +0000