1 files changed, 39 insertions, 8 deletions

diff --git a/lib/parse/renderer.js b/lib/parse/renderer.js
index 66aad46..4b5c945 100644
--- a/lib/parse/renderer.js
+++ b/lib/parse/renderer.js
@@ -1,3 +1,4 @@
+var url = require('url');
 var inherits = require('util').inherits;
 
 var marked = require('marked');
@@ -11,17 +12,47 @@ function GitBookRenderer(options) {
 }
 inherits(GitBookRenderer, marked.Renderer);
 
+GitBookRenderer.prototype._unsanitized = function(href) {
+    var prot = '';
+    try {
+        prot = decodeURIComponent(unescape(href))
+            .replace(/[^\w:]/g, '')
+            .toLowerCase();
 
-GitBookRenderer.prototype.link = function(href, title, text) {
-    // Replace .md extensions by .html
-    return GitBookRenderer.super_.prototype.link.call(
-        this,
-        href.replace(/\.md$/, '.html'),
-        title,
-        text
-    );
+    } catch (e) {
+        return true;
+    }
+
+    if(prot.indexOf('javascript:') === 0) {
+        return true;
+    }
+
+    return false;
 };
 
+GitBookRenderer.prototype.link = function(href, title, text) {
+    // Don't build if it looks malicious
+    if (this.options.sanitize && this._unsanitized(href)) {
+        return '';
+    }
+
+    // Parsed version of the url
+    var parsed = url.parse(href);
+
+
+    // Generate HTML for link
+    var out = '<a href="' + href + '"';
+    // Title if no null
+    if (title) {
+        out += ' title="' + title + '"';
+    }
+    // Target blank if external
+    if(parsed.protocol) {
+        out += ' target="_blank"';
+    }
+    out += '>' + text + '</a>';
+    return out;
+};
 
 // Exports
 module.exports = GitBookRenderer;