fix #4756: markdown notes: allow any valid URL for a tags

As anchor elements cannot load things into the current browsing
context and are not necessarily more dangerous to users compared to
HTTP(S) links, which we allowed since adding markdown rendering in
the first place.

Allows adding short-cuts for virtual guest resources, like RDP or SSH
links.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/src/Parser.js b/src/Parser.js
index e283df8a058c500bd9582cb0111da9f29ef639f8..08e2502e0dc99ec154cc338ae66d518396af7b79 100644 (file)
--- a/src/Parser.js
+++ b/src/Parser.js
@@ -34,6 +34,7 @@ Ext.define('Proxmox.Markdown', {
                        let url = new URL(value, window.location.origin);
                        if (
                            _isHTTPLike(url.protocol) ||
+                           node.tagName.toLowerCase() === 'a' ||
                            (node.tagName.toLowerCase() === 'img' && url.protocol.toLowerCase() === 'data:')
                        ) {
                            node.attributes[i].value = url.href;