all repos — grayfriday @ e10ba88263489d0358d7bc5fd6f5e153c603a2a3

blackfriday fork with a few changes 

Sanitize shouldn't filter out URLs without protocol.
Daniel Imfeld daniel@danielimfeld.com
Fri, 16 May 2014 03:28:44 -0500
commit

e10ba88263489d0358d7bc5fd6f5e153c603a2a3

parent

93aad334f476fe5ecc0db49d91293fce5b4cd279

2 files changed, 4 insertions(+), 2 deletions(-)

jump to
M sanitize.gosanitize.go 
@@ -92,7 +92,7 @@ // For whitelisted attributes, if it's an attribute that requires
 						// protocol checking, do so and strip it if it's not known to be safe.
 						tagProtocolAttrs, ok := protocolAttrs[tagName]
 						if ok && tagProtocolAttrs[attrName] {
-							if !protocolAllowed(val) {
+							if !isRelativeLink(val) && !protocolAllowed(val) {
 								continue
 							}
 						}
M sanitize_test.gosanitize_test.go 
@@ -80,7 +80,7 @@ "<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>",
 		"<p><img></p>\n",
 
 		`<IMG SRC=# onmouseover="alert('xxs')">`,
-		"<p><img></p>\n",
+		"<p><img src=\"#\"></p>\n",
 
 		`<IMG SRC= onmouseover="alert('xxs')">`,
 		"<p><img></p>\n",

@@ -192,6 +192,8 @@ func TestSanitizeInlineLink(t *testing.T) {
 	tests := []string{
 		"[link](javascript:evil)",
 		"<p><a>link</a></p>\n",
+                "[link](/abc)",
+                "<p><a href=\"/abc\">link</a></p>\n",
 	}
 	doTestsSanitize(t, tests)
 }