From 3459e91645cb56e98c0e7efcada3721f19178278 Mon Sep 17 00:00:00 2001
From: Kharec <sandro@cazzaniga.fr>
Date: Thu, 11 Dec 2025 15:58:07 +0100
Subject: [PATCH] test: add encoded protocol XSS regression tests for
 links/images

---
 t/04-links-images.t | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/t/04-links-images.t b/t/04-links-images.t
index 60b9949..929bb73 100755
--- a/t/04-links-images.t
+++ b/t/04-links-images.t
@@ -2,7 +2,7 @@
 use strict;
 use warnings;
 
-use Test::More tests => 8;
+use Test::More tests => 10;
 use MarkdownParser;
 
 my $parser = MarkdownParser->new();
@@ -37,8 +37,14 @@ is(
     "<p>Click me</p>\n",
     "Data protocol blocked in links"
 );
+is(
+    $parser->parse("[Click me](javascript&#x3A;alert('XSS'))"),
+    "<p>Click me</p>\n",
+    "Encoded JavaScript protocol blocked in links"
+);
 is( $parser->parse("![Image](javascript:alert('XSS'))"),
     "<p>Image</p>\n", "JavaScript protocol blocked in images" );
 is( $parser->parse("![Image](file:///etc/passwd)"),
     "<p>Image</p>\n", "File protocol blocked in images" );
-
+is( $parser->parse("![Image](javascript:%2f%2falert('XSS'))"),
+    "<p>Image</p>\n", "Encoded JavaScript protocol blocked in images" );