diff --git a/lib/parser_inline.js b/lib/parser_inline.js
index 52ab114..d8fdbb0 100644
--- a/lib/parser_inline.js
+++ b/lib/parser_inline.js
@@ -25,7 +25,7 @@ rules.push(require('./rules_inline/htmltag'));
rules.push(require('./rules_inline/entity'));
rules.push(require('./rules_inline/escape_html_char'));
-var BAD_PROTOCOLS = [ 'vbscript', 'javascript' ];
+var BAD_PROTOCOLS = [ 'vbscript', 'javascript', 'file' ];
function validateLink(url) {
var str = '';
@@ -36,7 +36,7 @@ function validateLink(url) {
if (!str) { return false; }
- if (BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) {
+ if (str.indexOf(':') >= 0 && BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) {
return false;
}
return true;
diff --git a/test/fixtures/remarkable/xss.txt b/test/fixtures/remarkable/xss.txt
index f37252d..f881400 100644
--- a/test/fixtures/remarkable/xss.txt
+++ b/test/fixtures/remarkable/xss.txt
@@ -1,3 +1,11 @@
+.
+[normal link](javascript)
+.
+normal link
+.
+
+
+
Should not allow some protocols in links and images
.
@@ -24,6 +32,13 @@ Should not allow some protocols in links and images
[xss link](VBSCRIPT:alert(1))
.
+.
+[xss link](file:///123)
+.
+[xss link](file:///123)
+.
+
+
.
[xss link]("><script>alert("xss")</script>)
.