fix(renderer): update regex for supported link schemes

This commit updates the whitelist we're using for outgoing links from HedgeDoc. Previously, any URI scheme except javascript: could be used as long as it contains two slashes after the scheme (like https://). On the one hand this allowed linking to arbitrary and possibly unsafe URI schemes, on the other hand this breaks some schemes like xmpp: or geo:. We're now using the list of schemes that can be registered by a browser to be opened. This restricts arbitrary scheme usage but on the other side fixes several other schemes. Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2025-08-13 13:31:42 +02:00
parent 6d970dbafd
commit 4030cbbd3c
2 changed files with 7 additions and 2 deletions
--- a/public/docs/release-notes.md
+++ b/public/docs/release-notes.md
@@ -10,6 +10,9 @@
 ### Bugfixes
 - Ignore the healthcheck endpoint in the "too busy" limiter

+### Enhancements
+- Allow links to protocols such as xmpp, webcal or geo
+
 ## <i class="fa fa-tag"></i> 1.10.3 <i class="fa fa-calendar-o"></i> 2025-04-09

 ### Security fixes