From 1137be13fa93529b125f490d08c4486e1d0d356c Mon Sep 17 00:00:00 2001
From: Hendrik Brummermann <nhnb@users.sourceforge.net>
Date: Wed, 22 May 2024 12:42:14 +0200
Subject: [PATCH] only create links for trusted href values

---
 .../citeproc/csl/internal/format/HtmlFormat.java         | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/citeproc-java/src/main/java/de/undercouch/citeproc/csl/internal/format/HtmlFormat.java b/citeproc-java/src/main/java/de/undercouch/citeproc/csl/internal/format/HtmlFormat.java
index f4acdcba..e49bf2b4 100644
--- a/citeproc-java/src/main/java/de/undercouch/citeproc/csl/internal/format/HtmlFormat.java
+++ b/citeproc-java/src/main/java/de/undercouch/citeproc/csl/internal/format/HtmlFormat.java
@@ -10,6 +10,7 @@
 import org.apache.commons.text.StringEscapeUtils;
 
 import java.util.List;
+import java.util.Locale;
 
 import static de.undercouch.citeproc.csl.internal.behavior.FormattingAttributes.FS_ITALIC;
 import static de.undercouch.citeproc.csl.internal.behavior.FormattingAttributes.FW_BOLD;
@@ -58,7 +59,13 @@ protected String doFormatBibliographyEntry(TokenBuffer buffer,
 
     @Override
     protected String doFormatLink(String text, String uri) {
-        return "<a href=\"" + uri + "\">" + text + "</a>";
+        String uriLowerCase = uri.toLowerCase(Locale.ENGLISH);
+        if (uriLowerCase.startsWith("http://")
+                || uriLowerCase.startsWith("https://")
+                || uriLowerCase.startsWith("/")) {
+            return "<a href=\"" + uri + "\">" + text + "</a>";
+        }
+        return text;
     }
 
     @Override