# HG changeset patch
# User Marcin Kuzminski <marcin@rhodecode.com>
# Date 2018-10-24 13:08:27
# Node ID 7609f194b3f23f2f04c311b73ff9cb59461cac3e
# Parent  8bba6dde1bd9dc16b00259a3b6e9fd9017e3ef9c

security: improve Javascript RST sandbox to also catch mixed case.

diff --git a/rhodecode/lib/markup_renderer.py b/rhodecode/lib/markup_renderer.py
--- a/rhodecode/lib/markup_renderer.py
+++ b/rhodecode/lib/markup_renderer.py
@@ -60,7 +60,9 @@ class CustomHTMLTranslator(writers.html4
             refuri = node['refuri']
             if ':' in refuri:
                 prefix, link = refuri.lstrip().split(':', 1)
-                if prefix == 'javascript':
+                prefix = prefix or ''
+
+                if prefix.lower() == 'javascript':
                     # we don't allow javascript type of refs...
                     node['refuri'] = 'javascript:alert("SandBoxedJavascript")'