more fixes in link protocols check

lib/parser_inline.js

@@ -25,7 +25,7 @@ rules.push(require('./rules_inline/htmltag'));
 rules.push(require('./rules_inline/entity'));
 rules.push(require('./rules_inline/escape_html_char'));
 
-var BAD_PROTOCOLS = [ 'vbscript', 'javascript' ];
+var BAD_PROTOCOLS = [ 'vbscript', 'javascript', 'file' ];
 
 function validateLink(url) {
   var str = '';
@@ -36,7 +36,7 @@ function validateLink(url) {
 
   if (!str) { return false; }
 
-  if (BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) {
+  if (str.indexOf(':') >= 0 && BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) {
     return false;
   }
   return true;

test/fixtures/remarkable/xss.txt

@@ -1,3 +1,11 @@
+.
+[normal link](javascript)
+.
+<p><a href="javascript">normal link</a></p>
+.
+
+
+
 Should not allow some protocols in links and images
 
 .
@@ -24,6 +32,13 @@ Should not allow some protocols in links and images
 <p>[xss link](VBSCRIPT:alert(1))</p>
 .
 
+.
+[xss link](file:///123)
+.
+<p>[xss link](file:///123)</p>
+.
+
+
 .
 [xss link](&#34;&#62;&#60;script&#62;alert&#40;&#34;xss&#34;&#41;&#60;/script&#62;)
 .