diff --git a/Render.go b/Render.go
index 8c1fa2b..1447a87 100644
--- a/Render.go
+++ b/Render.go
@@ -171,6 +171,8 @@ func (r *renderer) writeText(markdown string) {
}
func sanitizeURL(linkURL string) string {
+ linkURL = strings.TrimSpace(linkURL)
+
if strings.HasPrefix(strings.ToLower(linkURL), "javascript:") {
return ""
}
diff --git a/Render_test.go b/Render_test.go
index e47ce23..4ccecaa 100644
--- a/Render_test.go
+++ b/Render_test.go
@@ -56,6 +56,8 @@ func TestCombined(t *testing.T) {
func TestSecurity(t *testing.T) {
assert.Equal(t, markdown.Render("[text](javascript:alert(\"xss\"))"), "text
")
assert.Equal(t, markdown.Render("[text](javAscRipt:alert(\"xss\"))"), "text
")
- assert.Equal(t, markdown.Render("[text](\">html
)"), "text
")
- assert.Equal(t, markdown.Render("[html
]()"), "<div>html</div>
")
+ assert.Equal(t, markdown.Render("[text]( javascript:alert(\"xss\"))"), "text
")
+ assert.Equal(t, markdown.Render("[text]('javAscRipt:alert(\"xss\")')"), "text
")
+ assert.Equal(t, markdown.Render("[text](\">)"), "text
")
+ assert.Equal(t, markdown.Render("[]()"), "<script>alert(123)</script>
")
}