From 4fca2cccca1d887a16d729ed14f5ea130ee00928 Mon Sep 17 00:00:00 2001
From: David Larlet <david@larlet.fr>
Date: Wed, 14 Jun 2023 12:56:32 -0400
Subject: [PATCH] Allow `geo:` scheme in (description) links

Fix #1140
---
 umap/static/umap/js/umap.core.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/umap/static/umap/js/umap.core.js b/umap/static/umap/js/umap.core.js
index cd4b8b8d..84ef5f2e 100644
--- a/umap/static/umap/js/umap.core.js
+++ b/umap/static/umap/js/umap.core.js
@@ -64,6 +64,12 @@ L.Util.escapeHTML = (s) => {
     ],
     ADD_ATTR: ['target', 'allow', 'allowfullscreen', 'frameborder', 'scrolling'],
     ALLOWED_ATTR: ['href', 'src', 'width', 'height'],
+    // Added: `geo:` URL scheme as defined in RFC5870:
+    // https://www.rfc-editor.org/rfc/rfc5870.html
+    // The base RegExp comes from:
+    // https://github.com/cure53/DOMPurify/blob/main/src/regexp.js#L10
+    ALLOWED_URI_REGEXP:
+      /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp|geo):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i,
   })
   return s
 }