Link allows javascript which could lead to XSS issues

[lin-toto]

So I don't know if this is a bug or an expected feature, so please correct me if I'm wrong, but I found that I actually can write javascript links like this:

[test](javascript:alert%281%29)

An alert does pop out and this behavior is actually disallowed in GitHub.

People can do nasty things if a victim does click on one of these links.

[aidantwoods]

I've proposed some changes to parsedown here to prevent that #495, which you can grab a little early from here https://github.com/aidantwoods/parsedown/tree/anti-xss

Just be sure to set

$Parsedown->setMarkupEscaped(true);

To disable HTML tags (since the markdown language permits HTML by default).

Lastly if you're willing to test that version, feedback is welcome/encouraged :).

[lin-toto]

@aidantwoods cool, thanks. I think people will want your PR in master, to keep things safer.

I'll grab your version and inform you if I find any issues.

[sergeysviridenko]

@erusev what about this problem? Will it solve?