Alter call to sanitizeXss

Addressing feature: Custom URL Schemes autolinked #3218

Create a custom SafeAttrValue function which can allow non-standard protocols such as thunderlink: cbthunderlink: and aodroplink: to operate correctly without getting the value stripped away. Any other protocols and code remain to be processed by the default safeAttrValue routine.

packages/markdown/src/template-integration.js

@@ -6,6 +6,26 @@ var Markdown = require('markdown-it')({
 	breaks: true,
 });
 
+// Additional  safeAttrValue function to allow for other specific protocols
+// See https://github.com/leizongmin/js-xss/issues/52#issuecomment-241354114
+function mySafeAttrValue(tag, name, value, cssFilter) {
+  // only when the tag is 'a' and attribute is 'href'
+  // then use your custom function
+  if (tag === 'a' && name === 'href') {
+    // only filter the value if starts with 'cbthunderlink:' or 'aodroplink'
+    if (/^thunderlink:/ig.test(value) || /^cbthunderlink:/ig.test(value) || /^aodroplink:/ig.test(value)) {
+      return value;
+    }
+		else {
+    	// use the default safeAttrValue function to process all non cbthunderlinks
+    	return sanitizeXss.safeAttrValue(tag, name, value, cssFilter);
+  	}
+  } else {
+    // use the default safeAttrValue function to process it
+    return sanitizeXss.safeAttrValue(tag, name, value, cssFilter);
+  }
+};
+
 var emoji = require('markdown-it-emoji');
 Markdown.use(emoji);
 
@@ -22,6 +42,6 @@ if (Package.ui) {
 			text = Blaze._toText(self.templateContentBlock, HTML.TEXTMODE.STRING);
 		}
 
-			return HTML.Raw(sanitizeXss(Markdown.render(text)));
+			return HTML.Raw(sanitizeXss(Markdown.render(text), { safeAttrValue: mySafeAttrValue }));
 	}));
 }