From d731c8a474d4a76865565cbb766796d02426dd93 Mon Sep 17 00:00:00 2001
From: Liran Tal <liran.tal@gmail.com>
Date: Fri, 7 Feb 2025 08:54:32 +0000
Subject: [PATCH] fix: regression in allowed image links using absolute or
 relative paths

---
 src/runtime/parser/utils/props.ts |  5 +++++
 test/markdown/images.test.ts      | 28 ++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)
 create mode 100644 test/markdown/images.test.ts

diff --git a/src/runtime/parser/utils/props.ts b/src/runtime/parser/utils/props.ts
index ea2cd10c..48d74fe9 100644
--- a/src/runtime/parser/utils/props.ts
+++ b/src/runtime/parser/utils/props.ts
@@ -15,6 +15,11 @@ function isAnchorLinkAllowed(value: string) {
     .replace(/&#(\d+);?/g, '')
     .replace(/&[a-z]+;?/gi, '')
 
+  // Check if the URL is a relative path
+  if (urlSanitized.startsWith('/') || urlSanitized.startsWith('./') || urlSanitized.startsWith('../')) {
+    return true
+  }
+
   try {
     const url = new URL(urlSanitized)
     if (unsafeLinkPrefix.some(prefix => url.protocol.toLowerCase().startsWith(prefix))) {
diff --git a/test/markdown/images.test.ts b/test/markdown/images.test.ts
new file mode 100644
index 00000000..d8b0c899
--- /dev/null
+++ b/test/markdown/images.test.ts
@@ -0,0 +1,28 @@
+import { expect, it } from 'vitest'
+import { parseMarkdown } from '../utils/parser'
+
+const md = `
+# Some headline
+
+Following are some image links:
+
+![absolute image](/path/to/my/image.png)
+
+![relative image](../relative/path/to/image.png)
+
+![image](https://placehold.co/200x200.png)
+
+`.trim()
+
+it('Sanity test for image links, all should be allowed', async () => {
+  const { body } = await parseMarkdown(md)
+
+  expect(body.children[2].children[0].tag).toEqual('img')
+  expect(body.children[2].children[0].props.src).toEqual('/path/to/my/image.png')
+
+  expect(body.children[3].children[0].tag).toEqual('img')
+  expect(body.children[3].children[0].props.src).toEqual('../relative/path/to/image.png')
+
+  expect(body.children[4].children[0].tag).toEqual('img')
+  expect(body.children[4].children[0].props.src).toEqual('https://placehold.co/200x200.png')
+})