diff --git a/src/wp-includes/js/tinymce/plugins/wplink/plugin.js b/src/wp-includes/js/tinymce/plugins/wplink/plugin.js
index a874e61091..2a7f697368 100644
--- a/src/wp-includes/js/tinymce/plugins/wplink/plugin.js
+++ b/src/wp-includes/js/tinymce/plugins/wplink/plugin.js
@@ -4,7 +4,7 @@
renderHtml: function() {
return (
''
);
},
@@ -249,6 +249,13 @@
text = inputInstance.getLinkText();
editor.focus();
+ var parser = document.createElement( 'a' );
+ parser.href = href;
+
+ if ( 'javascript:' === parser.protocol || 'data:' === parser.protocol ) { // jshint ignore:line
+ href = '';
+ }
+
if ( ! href ) {
editor.dom.remove( linkNode, true );
return;
diff --git a/src/wp-includes/js/wplink.js b/src/wp-includes/js/wplink.js
index 652ed688a3..ca2b394438 100644
--- a/src/wp-includes/js/wplink.js
+++ b/src/wp-includes/js/wplink.js
@@ -312,7 +312,7 @@ var wpLink;
var html = '';
@@ -337,6 +337,13 @@ var wpLink;
attrs = wpLink.getAttrs();
text = inputs.text.val();
+ var parser = document.createElement( 'a' );
+ parser.href = attrs.href;
+
+ if ( 'javascript:' === parser.protocol || 'data:' === parser.protocol ) { // jshint ignore:line
+ attrs.href = '';
+ }
+
// If there's no href, return.
if ( ! attrs.href ) {
return;
@@ -390,6 +397,13 @@ var wpLink;
var attrs = wpLink.getAttrs(),
$link, text, hasText, $mceCaret;
+ var parser = document.createElement( 'a' );
+ parser.href = attrs.href;
+
+ if ( 'javascript:' === parser.protocol || 'data:' === parser.protocol ) { // jshint ignore:line
+ attrs.href = '';
+ }
+
if ( ! attrs.href ) {
editor.execCommand( 'unlink' );
wpLink.close();