urlencode urls that are potentially unsafe:

this should break urls that attempt to include a protocol, or port (these are absolute URLs and should have a whitelisted protocol for use)
but URLs that are relative, or relative from the site root should be preserved (though characters non essential for the URL structure may be urlencoded)

this approach has significant advantages over attempting to locate something like `javascript:alert(1)` or `javascript:alert(1)` (which are both valid) because browsers have been known to ignore ridiculous characters when encountered (meaning something like `jav\ta\0\0script:alert(1)` would be xss :( ). Instead of trying to chase down a way to interpret a URL to decide whether there is a protocol, this approach ensures that two essential characters needed to achieve a colon are encoded `:` (obviously) and `;` (from `:`). If these characters appear in a relative URL then they are equivalent to their URL encoded form and so this change will be non breaking for that case.

Parsedown.php

@@ -87,7 +87,6 @@ class Parsedown
     protected $safeLinksWhitelist = array(
         'http://',
         'https://',
-        '/',
         'ftp://',
         'ftps://',
         'mailto:',
@@ -1554,7 +1553,14 @@ class Parsedown
 
             if ( ! $safe)
             {
-                unset($Element['attributes'][$attribute]);
+                $Element['attributes'][$attribute] = preg_replace_callback(
+                    '/[^\/#?&=%]++/',
+                    function (array $match)
+                    {
+                        return urlencode($match[0]);
+                    },
+                    $Element['attributes'][$attribute]
+                );
             }
         }
 

test/data/inline_link.html

@@ -1,5 +1,5 @@
 <p><a href="http://example.com">link</a></p>
-<p><a href="/url-(parentheses)">link</a> with parentheses in URL </p>
+<p><a href="/url-%28parentheses%29">link</a> with parentheses in URL </p>
 <p>(<a href="/index.php">link</a>) in parentheses</p>
 <p><a href="http://example.com"><code>link</code></a></p>
 <p><a href="http://example.com"><img src="http://parsedown.org/md.png" alt="MD Logo" /></a></p>

test/data/xss_bad_url.html

@@ -1,16 +1,16 @@
-<p><a>xss</a></p>
-<p><a>xss</a></p>
-<p><a>xss</a></p>
-<p><a>xss</a></p>
-<p><img alt="xss" /></p>
-<p><img alt="xss" /></p>
-<p><img alt="xss" /></p>
-<p><img alt="xss" /></p>
-<p><a>xss</a></p>
-<p><a>xss</a></p>
-<p><a>xss</a></p>
-<p><a>xss</a></p>
-<p><img alt="xss" /></p>
-<p><img alt="xss" /></p>
-<p><img alt="xss" /></p>
-<p><img alt="xss" /></p>
+<p><a href="javascript%3Aalert%281%29">xss</a></p>
+<p><a href="javascript%3Aalert%281%29">xss</a></p>
+<p><a href="javascript%3A//alert%281%29">xss</a></p>
+<p><a href="javascript&amp;colon%3Balert%281%29">xss</a></p>
+<p><img src="javascript%3Aalert%281%29" alt="xss" /></p>
+<p><img src="javascript%3Aalert%281%29" alt="xss" /></p>
+<p><img src="javascript%3A//alert%281%29" alt="xss" /></p>
+<p><img src="javascript&amp;colon%3Balert%281%29" alt="xss" /></p>
+<p><a href="data%3Atext/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
+<p><a href="data%3Atext/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
+<p><a href="data%3A//text/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
+<p><a href="data&amp;colon%3Btext/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
+<p><img src="data%3Atext/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>
+<p><img src="data%3Atext/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>
+<p><img src="data%3A//text/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>
+<p><img src="data&amp;colon%3Btext/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>