check dangerous schemes

Valzet · Valzet · commit c5d29b226dc7 · 2025-10-21T11:15:06.000+03:00
diff --git a/src/lib/isURL.js b/src/lib/isURL.js
@@ -58,7 +58,9 @@ export default function isURL(url, options) {
   if (!url || /[\s<>]/.test(url)) {
     return false;
   }
-  if (url.indexOf('mailto:') === 0) {
+  const lowerUrl = url.trim().toLowerCase();
+  const dangerousSchemes = ['javascript:', 'data:', 'vbscript:', 'file:', 'blob:', 'mailto:'];
+  if (dangerousSchemes.some(scheme => lowerUrl.startsWith(scheme))) {
     return false;
   }
   options = merge(options, default_url_options);

Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,9 @@ export default function isURL(url, options) {`
`58`	`58`	`if (!url \|\| /[\s<>]/.test(url)) {`
`59`	`59`	`return false;`
`60`	`60`	`}`
`61`		`- if (url.indexOf('mailto:') === 0) {`
	`61`	`+ const lowerUrl = url.trim().toLowerCase();`
	`62`	`+ const dangerousSchemes = ['javascript:', 'data:', 'vbscript:', 'file:', 'blob:', 'mailto:'];`
	`63`	`+ if (dangerousSchemes.some(scheme => lowerUrl.startsWith(scheme))) {`
`62`	`64`	`return false;`
`63`	`65`	`}`
`64`	`66`	`options = merge(options, default_url_options);`