From 0d2200190017c11a8c748a5ddc9cf7844d3e40e4 Mon Sep 17 00:00:00 2001
From: Vitaly Puzrin <vitaly@rcdesign.ru>
Date: Thu, 23 Oct 2014 17:16:50 +0400
Subject: [PATCH] more fixes in link protocols check

---
 lib/parser_inline.js             |  4 ++--
 test/fixtures/remarkable/xss.txt | 15 +++++++++++++++
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/lib/parser_inline.js b/lib/parser_inline.js
index 52ab114..d8fdbb0 100644
--- a/lib/parser_inline.js
+++ b/lib/parser_inline.js
@@ -25,7 +25,7 @@ rules.push(require('./rules_inline/htmltag'));
 rules.push(require('./rules_inline/entity'));
 rules.push(require('./rules_inline/escape_html_char'));
 
-var BAD_PROTOCOLS = [ 'vbscript', 'javascript' ];
+var BAD_PROTOCOLS = [ 'vbscript', 'javascript', 'file' ];
 
 function validateLink(url) {
   var str = '';
@@ -36,7 +36,7 @@ function validateLink(url) {
 
   if (!str) { return false; }
 
-  if (BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) {
+  if (str.indexOf(':') >= 0 && BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) {
     return false;
   }
   return true;
diff --git a/test/fixtures/remarkable/xss.txt b/test/fixtures/remarkable/xss.txt
index f37252d..f881400 100644
--- a/test/fixtures/remarkable/xss.txt
+++ b/test/fixtures/remarkable/xss.txt
@@ -1,3 +1,11 @@
+.
+[normal link](javascript)
+.
+<p><a href="javascript">normal link</a></p>
+.
+
+
+
 Should not allow some protocols in links and images
 
 .
@@ -24,6 +32,13 @@ Should not allow some protocols in links and images
 <p>[xss link](VBSCRIPT:alert(1))</p>
 .
 
+.
+[xss link](file:///123)
+.
+<p>[xss link](file:///123)</p>
+.
+
+
 .
 [xss link](&#34;&#62;&#60;script&#62;alert&#40;&#34;xss&#34;&#41;&#60;/script&#62;)
 .