文本文件  |  28行  |  933 B

These links should be unsafe and not allowed in safe_mode

[link](javascript:alert%28'Hello%20world!'%29)
[link](vbscript:msgbox%28%22Hello%20world!%22%29)
[link](livescript:alert%28'Hello%20world!'%29)
[link](mocha:[code])
[link](jAvAsCrIpT:alert%28'Hello%20world!'%29)
[link](ja vas cr ipt:alert%28'Hello%20world!'%29)
[link](ja vas cr ipt:alert%28'Hello%20world!'%29)
[link](ja vas cr ipt:alert%28'Hello%20world!'%29)
[link](ja%09 %0Avas cr
ipt:alert%28'Hello%20world!'%29)
[link](ja%20vas%20cr%20ipt:alert%28'Hello%20world!'%29)
[link](live%20script:alert%28'Hello%20world!'%29)

![img](javascript:alert%29'XSS'%29)
[ref][]
![imgref][]

[ref]: javascript:alert%29'XSS'%29
[imgref]: javascript:alert%29'XSS'%29

These should work regardless:

[relative](relative/url.html)
[email](mailto:foo@bar.com)
[news scheme](news:some.news.group.com)
[http link](http://example.com)