From 0b4ffbb60ef4a81cc6e5606ac40a42380077a690 Mon Sep 17 00:00:00 2001
From: Waylan Limberg <waylan@gmail.com>
Date: Wed, 6 Feb 2013 12:03:50 -0500
Subject: Whitelisted known safe url schemes in safe_mode. A better fix for
 #185.

---
 markdown/inlinepatterns.py | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

(limited to 'markdown/inlinepatterns.py')

diff --git a/markdown/inlinepatterns.py b/markdown/inlinepatterns.py
index 1ebb310..f64aa58 100644
--- a/markdown/inlinepatterns.py
+++ b/markdown/inlinepatterns.py
@@ -354,19 +354,20 @@ class LinkPattern(Pattern):
             return ''
         
         locless_schemes = ['', 'mailto', 'news']
+        allowed_schemes = locless_schemes + ['http', 'https', 'ftp', 'ftps']
+        if scheme not in allowed_schemes:
+            # Not a known (allowed) scheme. Not safe.
+            return ''
+            
         if netloc == '' and scheme not in locless_schemes:
-            # This fails regardless of anything else. 
-            # Return immediately to save additional proccessing
+            # This should not happen. Treat as suspect.
             return ''
 
         for part in url[2:]:
             if ":" in part:
-                # Not a safe url
+                # A colon in "path", "parameters", "query" or "fragment" is suspect.
                 return ''
 
-        if scheme == 'javascript':
-            return ''
-
         # Url passes all tests. Return url as-is.
         return urlunparse(url)
 
-- 
cgit v1.2.3