Filter out 'javascript:' and 'vbscript:' schemes from being autolinked.

Author: gregjacobs

dist/Autolinker.js

@@ -16,7 +16,7 @@
 
 	/*!
 	 * Autolinker.js
-	 * 0.14.0
+	 * 0.14.1
 	 *
 	 * Copyright(c) 2014 Gregory Jacobs <[email protected]>
 	 * MIT Licensed. http://www.opensource.org/licenses/mit-license.php
@@ -1284,6 +1284,7 @@
 
 	} );
 	/*global Autolinker */
+	/*jshint scripturl:true */
 	/**
 	 * @private
 	 * @class Autolinker.MatchValidator
@@ -1322,12 +1323,14 @@
 		hasFullProtocolRegex : /^[A-Za-z][-.+A-Za-z0-9]+:\/\//,
 
 		/**
-		 * Regex to test for a protocol prefix, such as 'mailto:'
+		 * Regex to find the URI scheme, such as 'mailto:'.
+		 * 
+		 * This is used to filter out 'javascript:' and 'vbscript:' schemes.
 		 * 
 		 * @private
-		 * @property {RegExp} hasProtocolPrefixRegex
+		 * @property {RegExp} uriSchemeRegex
 		 */
-		hasProtocolPrefixRegex : /^[A-Za-z][-.+A-Za-z0-9]+:/,
+		uriSchemeRegex : /^[A-Za-z][-.+A-Za-z0-9]+:/,
 
 		/**
 		 * Regex to determine if at least one word char exists after the protocol (i.e. after the ':')
@@ -1361,6 +1364,7 @@
 		 */
 		isValidMatch : function( urlMatch, protocolUrlMatch, protocolRelativeMatch ) {
 			if(
+				( protocolUrlMatch && !this.isValidUriScheme( protocolUrlMatch ) ) ||
 				this.urlMatchDoesNotHaveProtocolOrDot( urlMatch, protocolUrlMatch ) ||       // At least one period ('.') must exist in the URL match for us to consider it an actual URL, *unless* it was a full protocol match (like 'http://localhost')
 				this.urlMatchDoesNotHaveAtLeastOneWordChar( urlMatch, protocolUrlMatch ) ||  // At least one letter character must exist in the domain name after a protocol match. Ex: skip over something like "git:1.0"
 				this.isInvalidProtocolRelativeMatch( protocolRelativeMatch )                 // A protocol-relative match which has a word character in front of it (so we can skip something like "abc//google.com")
@@ -1372,6 +1376,22 @@
 		},
 
 
+		/**
+		 * Determines if the URI scheme is a valid scheme to be autolinked. Returns `false` if the scheme is 
+		 * 'javascript:' or 'vbscript:'
+		 * 
+		 * @private
+		 * @param {String} uriSchemeMatch The match URL string for a full URI scheme match. Ex: 'http://yahoo.com' 
+		 *   or 'mailto:[email protected]'.
+		 * @return {Boolean} `true` if the scheme is a valid one, `false` otherwise.
+		 */
+		isValidUriScheme : function( uriSchemeMatch ) {
+			var uriScheme = uriSchemeMatch.match( this.uriSchemeRegex )[ 0 ];
+
+			return ( uriScheme !== 'javascript:' && uriScheme !== 'vbscript:' );
+		},
+
+
 		/**
 		 * Determines if a URL match does not have either:
 		 *