validateLink: expand entities before trimming and lowercasing

lib/parser_inline.js

@@ -30,10 +30,10 @@ var _rules = [
 var BAD_PROTOCOLS = [ 'vbscript', 'javascript', 'file' ];
 
 function validateLink(url) {
-  var str = url.trim().toLowerCase();
-
   // Care about digital entities "javascript:alert(1)"
-  str = replaceEntities(str);
+  var str = replaceEntities(url);
+
+  str = str.trim().toLowerCase();
 
   if (str.indexOf(':') >= 0 && BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) {
     return false;

test/fixtures/markdown-it/xss.txt

@@ -29,8 +29,15 @@ Should not allow some protocols in links and images
 
 .
 [xss link]("><script>alert("xss")</script>)
+
+[xss link](Javascript:alert(1))
+
+[xss link](Javascript:alert(1))
+
 .
 <p><a href="%22%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E">xss link</a></p>
+<p>[xss link](Javascript:alert(1))</p>
+<p>[xss link](&amp;#74;avascript:alert(1))</p>
 .
 
 .