diff --git a/lib/index.js b/lib/index.js
index 98c69e2..6a0310e 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -21,14 +21,12 @@ var config = {
 };
 
 
-var replaceEntities = require('./common/utils').replaceEntities;
 var BAD_PROTOCOLS   = [ 'vbscript', 'javascript', 'file' ];
 
 function validateLink(url) {
-  // Care about digital entities "javascript&#x3A;alert(1)"
-  var str = replaceEntities(url);
-
-  str = str.trim().toLowerCase();
+  // url should be normalized at this point, and existing entities are decoded
+  //
+  var str = url.trim().toLowerCase();
 
   if (str.indexOf(':') >= 0 && BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) {
     return false;
diff --git a/test/fixtures/markdown-it/xss.txt b/test/fixtures/markdown-it/xss.txt
index 8909583..25eb361 100644
--- a/test/fixtures/markdown-it/xss.txt
+++ b/test/fixtures/markdown-it/xss.txt
@@ -31,10 +31,13 @@ Should not allow some protocols in links and images
 [xss link](&#74;avascript:alert(1))
 
 [xss link](&#x26;#74;avascript:alert(1))
+
+[xss link](\&#74;avascript:alert(1))
 .
 <p><a href="%22%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E">xss link</a></p>
 <p>[xss link](Javascript:alert(1))</p>
-<p>[xss link](&amp;#74;avascript:alert(1))</p>
+<p><a href="&amp;#74;avascript:alert(1)">xss link</a></p>
+<p><a href="&amp;#74;avascript:alert(1)">xss link</a></p>
 .
 
 .
