diff --git a/public/docs/release-notes.md b/public/docs/release-notes.md
index 0e7d2dc8..abb29bc2 100644
--- a/public/docs/release-notes.md
+++ b/public/docs/release-notes.md
@@ -10,6 +10,9 @@
 ### Bugfixes
 - Ignore the healthcheck endpoint in the "too busy" limiter
 
+### Enhancements
+- Allow links to protocols such as xmpp, webcal or geo
+
 ## <i class="fa fa-tag"></i> 1.10.3 <i class="fa fa-calendar-o"></i> 2025-04-09
 
 ### Security fixes
diff --git a/public/js/render.js b/public/js/render.js
index cffaa116..250d0a0d 100644
--- a/public/js/render.js
+++ b/public/js/render.js
@@ -4,8 +4,10 @@ const filterXSS = require('xss')
 
 const whiteListAttr = ['id', 'class', 'style']
 window.whiteListAttr = whiteListAttr
-// allow link starts with '.', '/' and custom protocol with '://', exclude link starts with javascript://
-const linkRegex = /^(?!javascript:\/\/)([\w|-]+:\/\/)|^([.|/])+/i
+// allow links starting with '.', '/', '#', '?', 'http://', 'https://' and protocols supported by the navigator.registerProtocolHandler API
+// These schemes can be considered safe-enough for linking to since these are the ones that can be opened using a browser.
+// See: https://developer.mozilla.org/en-US/docs/Web/API/Navigator/registerProtocolHandler
+const linkRegex = /^(?:\?|#|\.|\/|https?:\/\/|(?:web\+[a-z]+|bitcoin|ftp|ftps|geo|im|irc|ircs|magnet|mailto|matrix|mms|news|nntp|openpgp4fpr|sftp|sip|sms|smsto|ssh|tel|urn|webcal|wtai|xmpp):)/i
 // allow data uri, from https://gist.github.com/bgrins/6194623
 const dataUriRegex = /^\s*data:([a-z]+\/[a-z0-9-+.]+(;[a-z-]+=[a-z0-9-]+)?)?(;base64)?,([a-z0-9!$&',()*+;=\-._~:@/?%\s]*)\s*$/i
 // custom white list