From 5ef2b7c9dc257e1bafb4425630b0d7cfaf5c8090 Mon Sep 17 00:00:00 2001
From: Sunshine <sunshine@uberspace.net>
Date: Mon, 3 Feb 2020 01:42:46 -0500
Subject: [PATCH] nullify JS within As' href attributes when needed

---
 src/html.rs | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/html.rs b/src/html.rs
index 4d34e99..7f9c91f 100644
--- a/src/html.rs
+++ b/src/html.rs
@@ -22,8 +22,7 @@ const ICON_VALUES: &[&str] = &[
     "fluid-icon",
 ];
 
-const TRANSPARENT_PIXEL: &str =
-    "data:image/png;base64,\
+const TRANSPARENT_PIXEL: &str = "data:image/png;base64,\
      iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mNkYAAAAAYAAjCB0C8AAAAASUVORK5CYII=";
 
 pub fn get_parent_node(node: &Handle) -> Handle {
@@ -291,6 +290,14 @@ pub fn walk_and_embed_assets(
                     for attr in attrs_mut.iter_mut() {
                         if &attr.name.local == "href" {
                             let attr_value = attr.value.trim();
+
+                            if opt_no_js && attr_value.starts_with("javascript:") {
+                                attr.value.clear();
+                                // Replace with empty JS call to preserve original behavior
+                                attr.value.push_slice("javascript:;");
+                                continue;
+                            }
+
                             // Don't touch email links or hrefs which begin with a hash sign
                             if attr_value.starts_with('#') || url_has_protocol(attr_value) {
                                 continue;