From f608517d9e1dee126431aafedabdabaa03ec2937 Mon Sep 17 00:00:00 2001
From: Philipp Hagemeister <phihag@phihag.de>
Date: Tue, 5 Feb 2013 18:50:21 +0100
Subject: Forbid javascript:// URLs in safe mode

---
 markdown/inlinepatterns.py        | 3 +++
 tests/safe_mode/link-targets.html | 2 ++
 tests/safe_mode/link-targets.txt  | 3 +++
 3 files changed, 8 insertions(+)
 create mode 100644 tests/safe_mode/link-targets.html
 create mode 100644 tests/safe_mode/link-targets.txt

diff --git a/markdown/inlinepatterns.py b/markdown/inlinepatterns.py
index a1b264c..1ebb310 100644
--- a/markdown/inlinepatterns.py
+++ b/markdown/inlinepatterns.py
@@ -364,6 +364,9 @@ class LinkPattern(Pattern):
                 # Not a safe url
                 return ''
 
+        if scheme == 'javascript':
+            return ''
+
         # Url passes all tests. Return url as-is.
         return urlunparse(url)
 
diff --git a/tests/safe_mode/link-targets.html b/tests/safe_mode/link-targets.html
new file mode 100644
index 0000000..768ae5b
--- /dev/null
+++ b/tests/safe_mode/link-targets.html
@@ -0,0 +1,2 @@
+<p><a href="">XSS</a>
+See http://security.stackexchange.com/q/30330/1261 for details.</p>
\ No newline at end of file
diff --git a/tests/safe_mode/link-targets.txt b/tests/safe_mode/link-targets.txt
new file mode 100644
index 0000000..10eebda
--- /dev/null
+++ b/tests/safe_mode/link-targets.txt
@@ -0,0 +1,3 @@
+[XSS](javascript://%0Aalert%28'XSS'%29;)
+See http://security.stackexchange.com/q/30330/1261 for details.
+
-- 
cgit v1.2.3