From 6a8a854ae0a3852e2d2e53ae2de0f59dcfebb77b Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sun, 5 Apr 2020 15:15:35 +0000
Subject: [PATCH] Merged r19672 to 4.0-stable (#32934).

git-svn-id: http://svn.redmine.org/redmine/branches/4.0-stable@19674 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 lib/redmine/wiki_formatting/textile/redcloth3.rb | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/redmine/wiki_formatting/textile/redcloth3.rb b/lib/redmine/wiki_formatting/textile/redcloth3.rb
index 85d3e85c6..011885706 100644
--- a/lib/redmine/wiki_formatting/textile/redcloth3.rb
+++ b/lib/redmine/wiki_formatting/textile/redcloth3.rb
@@ -848,8 +848,12 @@ class RedCloth3 < String
               url=url[0..-2] # discard closing parenth from url
               post = ")"+post # add closing parenth to post
             end
+
+            url = htmlesc(url.dup)
+            next all if url.downcase.start_with?('javascript:')
+
             atts = pba( atts )
-            atts = " href=\"#{ htmlesc url }#{ slash }\"#{ atts }"
+            atts = " href=\"#{ url }#{ slash }\"#{ atts }"
             atts << " title=\"#{ htmlesc title }\"" if title
             atts = shelve( atts ) if atts
             
@@ -970,6 +974,10 @@ class RedCloth3 < String
             url, url_title = check_refs( url )
 
             next m unless uri_with_safe_scheme?(url)
+            if href
+              href = htmlesc(href.dup)
+              next m if href.downcase.start_with?('javascript:')
+            end
 
             out = ''
             out << "<a#{ shelve( " href=\"#{ href }\"" ) }>" if href