Prefer explicit rules over regexp

policy.go

@@ -118,7 +118,11 @@ type Policy struct {
 	allowURLSchemes map[string][]urlPolicy
 
 	// These regexps are used to match allowed URL schemes, for example
-	// if one would want to allow all URL schemes, they would add `.+`
+	// if one would want to allow all URL schemes, they would add `.+`.
+	// However pay attention as this can lead to XSS being rendered thus
+	// defeating the purpose of using a HTML sanitizer.
+	// The regexps are only considered if a schema was not explicitly
+	// handled by `AllowURLSchemes` or `AllowURLSchemeWithCustomPolicy`.
 	allowURLSchemeRegexps []*regexp.Regexp
 
 	// If an element has had all attributes removed as a result of a policy

sanitize.go

@@ -970,14 +970,14 @@ func (p *Policy) validURL(rawurl string) (string, bool) {
 		}
 
 		if u.Scheme != "" {
-			for _, r := range p.allowURLSchemeRegexps {
-				if r.MatchString(u.Scheme) {
-					return u.String(), true
-				}
-			}
-
 			urlPolicies, ok := p.allowURLSchemes[u.Scheme]
 			if !ok {
+				for _, r := range p.allowURLSchemeRegexps {
+					if r.MatchString(u.Scheme) {
+						return u.String(), true
+					}
+				}
+
 				return "", false
 			}
 

sanitize_test.go

@@ -4007,4 +4007,22 @@ func TestIssue174(t *testing.T) {
 			out,
 			expected)
 	}
+
+	// Custom handling of specific URL schemes even if the regex allows all
+	p.AllowURLSchemeWithCustomPolicy("javascript", func(*url.URL) bool {
+		return false
+	})
+
+	input = `<a href="cbthunderlink://somebase64string"></a>
+<a href="javascript:alert('test')">xss</a>`
+	out = p.Sanitize(input)
+	expected = `<a href="cbthunderlink://somebase64string" rel="nofollow"></a>
+xss`
+	if out != expected {
+		t.Errorf(
+			"test failed;\ninput   : %s\noutput  : %s\nexpected: %s",
+			input,
+			out,
+			expected)
+	}
 }