From 387a56fd2c5bc6dc62186fa1fe162f2e2a55ddf3 Mon Sep 17 00:00:00 2001
From: Brendan Dahl <brendan.dahl@gmail.com>
Date: Mon, 12 Mar 2012 12:00:30 -0700
Subject: [PATCH] Sanitize pdf link urls.

---
 src/core.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/core.js b/src/core.js
index 86e3eeb5f..341cf6422 100644
--- a/src/core.js
+++ b/src/core.js
@@ -338,7 +338,13 @@ var Page = (function PageClosure() {
             if (a) {
               switch (a.get('S').name) {
                 case 'URI':
-                  item.url = a.get('URI');
+                  var url = a.get('URI');
+                  // TODO: pdf spec mentions urls can be relative to a Base
+                  // entry in the dictionary.
+                  // For now only allow http and https schemes.
+                  if (url.search(/^https?\:/) !== 0)
+                    url = '';
+                  item.url = url;
                   break;
                 case 'GoTo':
                   item.dest = a.get('D');