Merge pull request #844 from chjj/data_link_fix

added data link fix to prevent xss

lib/marked.js

@@ -875,7 +875,7 @@ Renderer.prototype.link = function(href, title, text) {
     } catch (e) {
       return '';
     }
-    if (prot.indexOf('javascript:') === 0 || prot.indexOf('vbscript:') === 0) {
+    if (prot.indexOf('javascript:') === 0 || prot.indexOf('vbscript:') === 0 || prot.indexOf('data:') === 0) {
       return '';
     }
   }

test/tests/links.sanitize.html

@@ -1,4 +1,5 @@
 <p></p>
 <p></p>
 <p></p>
+<p></p>
 <p></p>

test/tests/links.sanitize.text

@@ -4,4 +4,6 @@
 
 [URL](javascript:alert(1))
 
-[URL](javascript&#58document;alert(1))
+[URL](javascript&#58document;alert(1))
+
+[URL](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)