fix(renderer): update regex for supported link schemes

This commit updates the whitelist we're using for outgoing links from HedgeDoc. Previously, any URI scheme except javascript: could be used as long as it contains two slashes after the scheme (like https://). On the one hand this allowed linking to arbitrary and possibly unsafe URI schemes, on the other hand this breaks some schemes like xmpp: or geo:.
We're now using the list of schemes that can be registered by a browser to be opened. This restricts arbitrary scheme usage but on the other side fixes several other schemes.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>

public/docs/release-notes.md

@@ -10,6 +10,9 @@
 ### Bugfixes
 - Ignore the healthcheck endpoint in the "too busy" limiter
 
+### Enhancements
+- Allow links to protocols such as xmpp, webcal or geo
+
 ## <i class="fa fa-tag"></i> 1.10.3 <i class="fa fa-calendar-o"></i> 2025-04-09
 
 ### Security fixes

public/js/render.js

@@ -4,8 +4,10 @@ const filterXSS = require('xss')
 
 const whiteListAttr = ['id', 'class', 'style']
 window.whiteListAttr = whiteListAttr
-// allow link starts with '.', '/' and custom protocol with '://', exclude link starts with javascript://
-const linkRegex = /^(?!javascript:\/\/)([\w|-]+:\/\/)|^([.|/])+/i
+// allow links starting with '.', '/', '#', '?', 'http://', 'https://' and protocols supported by the navigator.registerProtocolHandler API
+// These schemes can be considered safe-enough for linking to since these are the ones that can be opened using a browser.
+// See: https://developer.mozilla.org/en-US/docs/Web/API/Navigator/registerProtocolHandler
+const linkRegex = /^(?:\?|#|\.|\/|https?:\/\/|(?:web\+[a-z]+|bitcoin|ftp|ftps|geo|im|irc|ircs|magnet|mailto|matrix|mms|news|nntp|openpgp4fpr|sftp|sip|sms|smsto|ssh|tel|urn|webcal|wtai|xmpp):)/i
 // allow data uri, from https://gist.github.com/bgrins/6194623
 const dataUriRegex = /^\s*data:([a-z]+\/[a-z0-9-+.]+(;[a-z-]+=[a-z0-9-]+)?)?(;base64)?,([a-z0-9!$&',()*+;=\-._~:@/?%\s]*)\s*$/i
 // custom white list