diff --git a/lib/index.js b/lib/index.js
index abc1525..320b983 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -20,20 +20,41 @@ var config = {
   commonmark: require('./presets/commonmark')
 };
 
-
-var BAD_PROTOCOLS    = [ 'vbscript', 'javascript', 'file' ];
+////////////////////////////////////////////////////////////////////////////////
+//
+// This validator does not pretent to functionality of full weight sanitizers.
+// It's a tradeoff between default security, simplicity and usability.
+// If you need different setup - override validator method as you wish. Or
+// replace it with dummy function and use external sanitizer.
+//
+
+var BAD_PROTOCOLS      = [ 'vbscript', 'javascript', 'file', 'data' ];
+var ALLOWED_DATA_MIMES = [
+  'data:image/gif',
+  'data:image/png',
+  'data:image/jpeg',
+  'data:image/webp'
+];
 
 function validateLink(url) {
   // url should be normalized at this point, and existing entities are decoded
-  //
-  var str = url.trim().toLowerCase();
 
-  if (str.indexOf(':') >= 0 && BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) {
+  var str      = url.trim().toLowerCase(),
+      protocol = str.split(':')[0];
+
+  if (str.indexOf(':') >= 0 && BAD_PROTOCOLS.indexOf(protocol) >= 0) {
+    if (protocol === 'data' && ALLOWED_DATA_MIMES.indexOf(str.split(';')[0]) >= 0) {
+      return true;
+    }
     return false;
   }
+
   return true;
 }
 
+////////////////////////////////////////////////////////////////////////////////
+
+
 var RECODE_HOSTNAME_FOR = [ 'http:', 'https:', 'mailto:' ];
 
 function normalizeLink(url) {
diff --git a/test/fixtures/markdown-it/xss.txt b/test/fixtures/markdown-it/xss.txt
index 25eb361..99bfa42 100644
--- a/test/fixtures/markdown-it/xss.txt
+++ b/test/fixtures/markdown-it/xss.txt
@@ -53,6 +53,21 @@ Should not allow some protocols in links and images
 .
 
 
+Should not allow data-uri except some whitelisted mimes
+.
+![](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
+.
+<p><img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" alt=""></p>
+.
+
+.
+[xss link](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
+.
+<p>[xss link](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)</p>
+.
+
+
+
 Image parser use the same code base.
 .
 ![xss link](javascript:alert(1))