Sanitize shouldn't filter out URLs without protocol.

2014-05-16 03:28:44 -05:00 · 2014-05-16 03:28:44 -05:00 · e10ba88263
parent 93aad334f4
commit e10ba88263
2 changed files with 4 additions and 2 deletions
--- a/sanitize.go
+++ b/sanitize.go
@ -92,7 +92,7 @@ func sanitizeHtmlSafe(input []byte) []byte {
 						// protocol checking, do so and strip it if it's not known to be safe.
 						tagProtocolAttrs, ok := protocolAttrs[tagName]
 						if ok && tagProtocolAttrs[attrName] {
-							if !protocolAllowed(val) {
+							if !isRelativeLink(val) && !protocolAllowed(val) {
 								continue
 							}
 						}
--- a/sanitize_test.go
+++ b/sanitize_test.go
@ -80,7 +80,7 @@ func TestSanitizeRawHtmlTag(t *testing.T) {
 		"<p><img></p>\n",

 		`<IMG SRC=# onmouseover="alert('xxs')">`,
-		"<p><img></p>\n",
+		"<p><img src=\"#\"></p>\n",

 		`<IMG SRC= onmouseover="alert('xxs')">`,
 		"<p><img></p>\n",
@ -192,6 +192,8 @@ func TestSanitizeInlineLink(t *testing.T) {
 	tests := []string{
 		"[link](javascript:evil)",
 		"<p><a>link</a></p>\n",
+                "[link](/abc)",
+                "<p><a href=\"/abc\">link</a></p>\n",
 	}
 	doTestsSanitize(t, tests)
 }