# HG changeset patch
# User Steve Losh <steve@stevelosh.com>
# Date 1278783972 14400
# Node ID 82d7322620316286c4fdf5768e600661588b85e8
# Parent  1b9066798f87dd1acba452281e176eb2bf7ab47c
bundled/markdown2: make markdown links a bit more secure

diff -r 1b9066798f87 -r 82d732262031 bundled/markdown2/lib/markdown2.py
--- a/bundled/markdown2/lib/markdown2.py	Fri Jul 09 22:46:09 2010 -0400
+++ b/bundled/markdown2/lib/markdown2.py	Sat Jul 10 13:46:12 2010 -0400
@@ -953,7 +953,10 @@
                     # We've got to encode these to avoid conflicting
                     # with italics/bold.
                     url = url.replace('*', g_escape_table['*']) \
-                             .replace('_', g_escape_table['_'])
+                             .replace('_', g_escape_table['_']) \
+                             .replace('"', '&quo;')
+                    if url.startswith('javascript:'):
+                        url = url.replace('javascript:', '', 1)
                     if title:
                         title_str = ' title="%s"' \
                             % title.replace('*', g_escape_table['*']) \
@@ -1003,7 +1006,10 @@
                         # We've got to encode these to avoid conflicting
                         # with italics/bold.
                         url = url.replace('*', g_escape_table['*']) \
-                                 .replace('_', g_escape_table['_'])
+                                 .replace('_', g_escape_table['_']) \
+                                 .replace('"', '&quo;')
+                        if url.startswith('javascript:'):
+                            url = url.replace('javascript:', '', 1)
                         title = self.titles.get(link_id)
                         if title:
                             title = title.replace('*', g_escape_table['*']) \