From 133d01bd11151d7e80bbc1dc5d5f2b728dc8cdf8 Mon Sep 17 00:00:00 2001
From: Eduard Urbach <admin@akyoto.dev>
Date: Mon, 1 Apr 2024 19:34:02 +0200
Subject: [PATCH] Improved URL sanitizer

---
 Render.go      | 2 ++
 Render_test.go | 6 ++++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/Render.go b/Render.go
index 8c1fa2b..1447a87 100644
--- a/Render.go
+++ b/Render.go
@@ -171,6 +171,8 @@ func (r *renderer) writeText(markdown string) {
 }
 
 func sanitizeURL(linkURL string) string {
+	linkURL = strings.TrimSpace(linkURL)
+
 	if strings.HasPrefix(strings.ToLower(linkURL), "javascript:") {
 		return ""
 	}
diff --git a/Render_test.go b/Render_test.go
index e47ce23..4ccecaa 100644
--- a/Render_test.go
+++ b/Render_test.go
@@ -56,6 +56,8 @@ func TestCombined(t *testing.T) {
 func TestSecurity(t *testing.T) {
 	assert.Equal(t, markdown.Render("[text](javascript:alert(\"xss\"))"), "<p><a href=\"\">text</a></p>")
 	assert.Equal(t, markdown.Render("[text](javAscRipt:alert(\"xss\"))"), "<p><a href=\"\">text</a></p>")
-	assert.Equal(t, markdown.Render("[text](\"><div>html</div>)"), "<p><a href=\"&#34;&gt;&lt;div&gt;html&lt;/div&gt;\">text</a></p>")
-	assert.Equal(t, markdown.Render("[<div>html</div>]()"), "<p><a href=\"\">&lt;div&gt;html&lt;/div&gt;</a></p>")
+	assert.Equal(t, markdown.Render("[text]( javascript:alert(\"xss\"))"), "<p><a href=\"\">text</a></p>")
+	assert.Equal(t, markdown.Render("[text]('javAscRipt:alert(\"xss\")')"), "<p><a href=\"&#39;javAscRipt:alert(&#34;xss&#34;)&#39;\">text</a></p>")
+	assert.Equal(t, markdown.Render("[text](\"><script>alert(123)</script>)"), "<p><a href=\"&#34;&gt;&lt;script&gt;alert(123)&lt;/script&gt;\">text</a></p>")
+	assert.Equal(t, markdown.Render("[<script>alert(123)</script>]()"), "<p><a href=\"\">&lt;script&gt;alert(123)&lt;/script&gt;</a></p>")
 }