diff --git a/src/wp-includes/js/tinymce/plugins/wplink/plugin.js b/src/wp-includes/js/tinymce/plugins/wplink/plugin.js
index 96357f2e9e..2266c641bd 100644
--- a/src/wp-includes/js/tinymce/plugins/wplink/plugin.js
+++ b/src/wp-includes/js/tinymce/plugins/wplink/plugin.js
@@ -4,7 +4,7 @@
renderHtml: function() {
return (
''
);
},
@@ -249,6 +249,13 @@
text = inputInstance.getLinkText();
editor.focus();
+ var parser = document.createElement( 'a' );
+ parser.href = href;
+
+ if ( 'javascript:' === parser.protocol || 'data:' === parser.protocol ) { // jshint ignore:line
+ href = '';
+ }
+
if ( ! href ) {
editor.dom.remove( linkNode, true );
return;
diff --git a/src/wp-includes/js/wplink.js b/src/wp-includes/js/wplink.js
index 4a5b1557af..a4bfb36832 100644
--- a/src/wp-includes/js/wplink.js
+++ b/src/wp-includes/js/wplink.js
@@ -312,7 +312,7 @@ var wpLink;
var html = '';
@@ -337,6 +337,13 @@ var wpLink;
attrs = wpLink.getAttrs();
text = inputs.text.val();
+ var parser = document.createElement( 'a' );
+ parser.href = attrs.href;
+
+ if ( 'javascript:' === parser.protocol || 'data:' === parser.protocol ) { // jshint ignore:line
+ attrs.href = '';
+ }
+
// If there's no href, return.
if ( ! attrs.href ) {
return;
@@ -389,6 +396,13 @@ var wpLink;
var attrs = wpLink.getAttrs(),
$link, text, hasText, $mceCaret;
+ var parser = document.createElement( 'a' );
+ parser.href = attrs.href;
+
+ if ( 'javascript:' === parser.protocol || 'data:' === parser.protocol ) { // jshint ignore:line
+ attrs.href = '';
+ }
+
if ( ! attrs.href ) {
editor.execCommand( 'unlink' );
wpLink.close();