diff --git a/policy.go b/policy.go
index 995f46c..c5bb0ff 100644
--- a/policy.go
+++ b/policy.go
@@ -118,7 +118,11 @@ type Policy struct {
allowURLSchemes map[string][]urlPolicy
// These regexps are used to match allowed URL schemes, for example
- // if one would want to allow all URL schemes, they would add `.+`
+ // if one would want to allow all URL schemes, they would add `.+`.
+ // However pay attention as this can lead to XSS being rendered thus
+ // defeating the purpose of using a HTML sanitizer.
+ // The regexps are only considered if a schema was not explicitly
+ // handled by `AllowURLSchemes` or `AllowURLSchemeWithCustomPolicy`.
allowURLSchemeRegexps []*regexp.Regexp
// If an element has had all attributes removed as a result of a policy
diff --git a/sanitize.go b/sanitize.go
index 9121aef..bdb1dfa 100644
--- a/sanitize.go
+++ b/sanitize.go
@@ -970,14 +970,14 @@ func (p *Policy) validURL(rawurl string) (string, bool) {
}
if u.Scheme != "" {
- for _, r := range p.allowURLSchemeRegexps {
- if r.MatchString(u.Scheme) {
- return u.String(), true
- }
- }
-
urlPolicies, ok := p.allowURLSchemes[u.Scheme]
if !ok {
+ for _, r := range p.allowURLSchemeRegexps {
+ if r.MatchString(u.Scheme) {
+ return u.String(), true
+ }
+ }
+
return "", false
}
diff --git a/sanitize_test.go b/sanitize_test.go
index 4e3a08f..511b961 100644
--- a/sanitize_test.go
+++ b/sanitize_test.go
@@ -4007,4 +4007,22 @@ func TestIssue174(t *testing.T) {
out,
expected)
}
+
+ // Custom handling of specific URL schemes even if the regex allows all
+ p.AllowURLSchemeWithCustomPolicy("javascript", func(*url.URL) bool {
+ return false
+ })
+
+ input = `
+xss`
+ out = p.Sanitize(input)
+ expected = `
+xss`
+ if out != expected {
+ t.Errorf(
+ "test failed;\ninput : %s\noutput : %s\nexpected: %s",
+ input,
+ out,
+ expected)
+ }
}