Harden farkup against cross-site scripting

extra/farkup/farkup.factor

@@ -1,8 +1,8 @@
 ! Copyright (C) 2008 Doug Coleman.
 ! See http://factorcode.org/license.txt for BSD license.
-USING: arrays io io.styles kernel memoize namespaces peg
-sequences strings html.elements xml.entities xmode.code2html
-splitting io.streams.string peg.parsers
+USING: arrays io io.styles kernel memoize namespaces peg math
+combinators sequences strings html.elements xml.entities
+xmode.code2html splitting io.streams.string peg.parsers
 sequences.deep unicode.categories ;
 IN: farkup
 
@@ -67,13 +67,19 @@ MEMO: eq ( -- parser )
         </pre>
     ] with-string-writer ;
 
+: invalid-url "javascript:alert('Invalid URL in farkup');" ;
+
 : check-url ( href -- href' )
-    CHAR: : over member? [
-        dup { "http://" "https://" "ftp://" } [ head? ] with contains?
-        [ drop "/" ] unless
-    ] [
-        relative-link-prefix get prepend
-    ] if ;
+    {
+        { [ dup empty? ] [ drop invalid-url ] }
+        { [ dup [ 127 > ] contains? ] [ drop invalid-url ] }
+        { [ dup first "/\\" member? ] [ drop invalid-url ] }
+        { [ CHAR: : over member? ] [
+            dup { "http://" "https://" "ftp://" } [ head? ] with contains?
+            [ drop invalid-url ] unless
+        ] }
+        [ relative-link-prefix get prepend ]
+    } cond ;
 
 : escape-link ( href text -- href-esc text-esc )
     >r check-url escape-quoted-string r> escape-string ;