securemark 0.260.2 → 0.260.3

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.260.3
+
+- Refactoring.
+
 ## 0.260.2
 
 - Refactoring.

package/design.md

@@ -332,3 +332,7 @@ Data URIは保存および転送容量削減ならびにユーザーおよび管
 - \<small>: 法的表記を縮小表示すべきでないため削除。
 - \<sub>: \<small>の代わりに使用されないよう削除。他の構文との相性も悪い。
 - \<sup>: 同上。
+
+### _ emphasis
+
+オートリンクと非常に相性が悪いため不採用。

package/dist/index.js

@@ -1,4 +1,4 @@
-/*! securemark v0.260.2 https://github.com/falsandtru/securemark | (c) 2017, falsandtru | UNLICENSED License */
+/*! securemark v0.260.3 https://github.com/falsandtru/securemark | (c) 2017, falsandtru | UNLICENSED License */
 (function webpackUniversalModuleDefinition(root, factory) {
 	if(typeof exports === 'object' && typeof module === 'object')
 		module.exports = factory(require("DOMPurify"), require("Prism"));
@@ -5944,15 +5944,15 @@ const source_1 = __webpack_require__(6743);
 
 const util_1 = __webpack_require__(9437);
 
-exports.autolink = (0, combinator_1.fmap)((0, combinator_1.validate)(/^(?:[@#>0-9A-Za-z]|\S[#>])/, (0, combinator_1.constraint)(2
+exports.autolink = (0, combinator_1.fmap)((0, combinator_1.validate)(/^(?:[@#>0-9a-z]|\S[#>])/i, (0, combinator_1.constraint)(2
 /* State.autolink */
 , false, (0, combinator_1.syntax)(2
 /* Syntax.autolink */
 , 1, 1, 0
 /* State.none */
 , (0, combinator_1.some)((0, combinator_1.union)([url_1.url, email_1.email, // Escape unmatched email-like strings.
-(0, source_1.str)(/^[0-9A-Za-z]+(?:[.+_-][0-9A-Za-z]+)*(?:@(?:[0-9A-Za-z]+(?:[.-][0-9A-Za-z]+)*)?)*/), channel_1.channel, account_1.account, // Escape unmatched account-like strings.
-(0, source_1.str)(/^@+[0-9A-Za-z]*(?:-[0-9A-Za-z]+)*/), // Escape invalid leading characters.
+(0, source_1.str)(/^[0-9a-z]+(?:[.+_-][0-9a-z]+)*(?:@(?:[0-9a-z]+(?:[.-][0-9a-z]+)*)?)*/i), channel_1.channel, account_1.account, // Escape unmatched account-like strings.
+(0, source_1.str)(/^@+[0-9a-z]*(?:-[0-9a-z]+)*/i), // Escape invalid leading characters.
 (0, source_1.str)(new RegExp(/^(?:[^\p{C}\p{S}\p{P}\s]|emoji|['_])(?=#)/u.source.replace('emoji', hashtag_1.emoji), 'u')), hashtag_1.hashtag, hashnum_1.hashnum, // Escape unmatched hashtag-like strings.
 (0, source_1.str)(new RegExp(/^#+(?:[^\p{C}\p{S}\p{P}\s]|emoji|['_])*/u.source.replace('emoji', hashtag_1.emoji), 'u')), anchor_1.anchor]))))), ns => ns.length === 1 ? ns : [(0, util_1.stringify)(ns)]);
 
@@ -5980,7 +5980,7 @@ const dom_1 = __webpack_require__(3252); // https://example/@user must be a user
 
 exports.account = (0, combinator_1.lazy)(() => (0, combinator_1.fmap)((0, combinator_1.rewrite)((0, combinator_1.constraint)(1
 /* State.shortcut */
-, false, (0, combinator_1.open)('@', (0, combinator_1.tails)([(0, combinator_1.verify)((0, source_1.str)(/^[0-9A-Za-z](?:(?:[0-9A-Za-z]|-(?=\w)){0,61}[0-9A-Za-z])?(?:\.[0-9A-Za-z](?:(?:[0-9A-Za-z]|-(?=\w)){0,61}[0-9A-Za-z])?)*\//), ([source]) => source.length <= 253 + 1), (0, combinator_1.verify)((0, source_1.str)(/^[A-Za-z][0-9A-Za-z]*(?:-[0-9A-Za-z]+)*/), ([source]) => source.length <= 64)]))), (0, combinator_1.convert)(source => `[${source}]{ ${source.includes('/') ? `https://${source.slice(1).replace('/', '/@')}` : `/${source}`} }`, (0, combinator_1.union)([link_1.unsafelink]))), ([el]) => [(0, dom_1.define)(el, {
+, false, (0, combinator_1.open)('@', (0, combinator_1.tails)([(0, combinator_1.verify)((0, source_1.str)(/^[0-9a-z](?:(?:[0-9a-z]|-(?=\w)){0,61}[0-9a-z])?(?:\.[0-9a-z](?:(?:[0-9a-z]|-(?=\w)){0,61}[0-9a-z])?)*\//i), ([source]) => source.length <= 253 + 1), (0, source_1.str)(/^[a-z](?:-(?=[0-9a-z])|[0-9a-z]){0,63}/i)]))), (0, combinator_1.convert)(source => `[${source}]{ ${source.includes('/') ? `https://${source.slice(1).replace('/', '/@')}` : `/${source}`} }`, (0, combinator_1.union)([link_1.unsafelink]))), ([el]) => [(0, dom_1.define)(el, {
   class: 'account'
 })]));
 
@@ -6011,7 +6011,7 @@ const dom_1 = __webpack_require__(3252); // Timeline(pseudonym): user/tid
 
 exports.anchor = (0, combinator_1.lazy)(() => (0, combinator_1.validate)('>>', (0, combinator_1.fmap)((0, combinator_1.constraint)(1
 /* State.shortcut */
-, false, (0, combinator_1.focus)(/^>>(?:[A-Za-z][0-9A-Za-z]*(?:-[0-9A-Za-z]+)*\/)?[0-9A-Za-z]+(?:-[0-9A-Za-z]+)*(?![0-9A-Za-z@#:])/, (0, combinator_1.convert)(source => `[${source}]{ ${source.includes('/') ? `/@${source.slice(2).replace('/', '/timeline/')}` : `?at=${source.slice(2)}`} }`, (0, combinator_1.union)([link_1.unsafelink])))), ([el]) => [(0, dom_1.define)(el, {
+, false, (0, combinator_1.focus)(/^>>(?:[a-z][0-9a-z]*(?:-[0-9a-z]+)*\/)?[0-9a-z]+(?:-[0-9a-z]+)*(?![0-9a-z@#:])/i, (0, combinator_1.convert)(source => `[${source}]{ ${source.includes('/') ? `/@${source.slice(2).replace('/', '/timeline/')}` : `?at=${source.slice(2)}`} }`, (0, combinator_1.union)([link_1.unsafelink])))), ([el]) => [(0, dom_1.define)(el, {
   class: 'anchor'
 })])));
 
@@ -6070,7 +6070,7 @@ const source_1 = __webpack_require__(6743);
 const dom_1 = __webpack_require__(3252); // https://html.spec.whatwg.org/multipage/input.html
 
 
-exports.email = (0, combinator_1.creation)((0, combinator_1.rewrite)((0, combinator_1.verify)((0, source_1.str)(/^[0-9A-Za-z]+(?:[.+_-][0-9A-Za-z]+)*@[0-9A-Za-z](?:(?:[0-9A-Za-z]|-(?=\w)){0,61}[0-9A-Za-z])?(?:\.[0-9A-Za-z](?:(?:[0-9A-Za-z]|-(?=\w)){0,61}[0-9A-Za-z])?)*(?![0-9A-Za-z])/), ([source]) => source.indexOf('@') <= 64 && source.length <= 255), ({
+exports.email = (0, combinator_1.creation)((0, combinator_1.rewrite)((0, combinator_1.verify)((0, source_1.str)(/^[0-9a-z](?:[.+_-](?=[^\W_])|[0-9a-z]){0,255}@[0-9a-z](?:(?:[0-9a-z]|-(?=\w)){0,61}[0-9a-z])?(?:\.[0-9a-z](?:(?:[0-9a-z]|-(?=\w)){0,61}[0-9a-z])?)*(?![0-9a-z])/i), ([source]) => source.length <= 255), ({
   source
 }) => [[(0, dom_1.html)('a', {
   class: 'email',
@@ -6133,7 +6133,7 @@ const dom_1 = __webpack_require__(3252); // https://example/hashtags/a must be a
 exports.emoji = String.raw`\p{Emoji_Modifier_Base}\p{Emoji_Modifier}?|\p{Emoji_Presentation}|\p{Emoji}\uFE0F`;
 exports.hashtag = (0, combinator_1.lazy)(() => (0, combinator_1.fmap)((0, combinator_1.rewrite)((0, combinator_1.constraint)(1
 /* State.shortcut */
-, false, (0, combinator_1.open)('#', (0, combinator_1.tails)([(0, combinator_1.verify)((0, source_1.str)(/^[0-9A-Za-z](?:(?:[0-9A-Za-z]|-(?=\w)){0,61}[0-9A-Za-z])?(?:\.[0-9A-Za-z](?:(?:[0-9A-Za-z]|-(?=\w)){0,61}[0-9A-Za-z])?)*\//), ([source]) => source.length <= 253 + 1), (0, combinator_1.verify)((0, source_1.str)(new RegExp([/^(?=[0-9]{0,127}_?(?:[^\d\p{C}\p{S}\p{P}\s]|emoji))/u.source, /(?:[^\p{C}\p{S}\p{P}\s]|emoji|_(?=[^\p{C}\p{S}\p{P}\s]|emoji)){1,128}/u.source, /(?!_?(?:[^\p{C}\p{S}\p{P}\s]|emoji)|')/u.source].join('').replace(/emoji/g, exports.emoji), 'u')), ([source]) => source.length <= 128)]))), (0, combinator_1.convert)(source => `[${source}]{ ${source.includes('/') ? `https://${source.slice(1).replace('/', '/hashtags/')}` : `/hashtags/${source.slice(1)}`} }`, (0, combinator_1.union)([link_1.unsafelink]))), ([el]) => [(0, dom_1.define)(el, {
+, false, (0, combinator_1.open)('#', (0, combinator_1.tails)([(0, combinator_1.verify)((0, source_1.str)(/^[0-9a-z](?:(?:[0-9a-z]|-(?=\w)){0,61}[0-9a-z])?(?:\.[0-9a-z](?:(?:[0-9a-z]|-(?=\w)){0,61}[0-9a-z])?)*\//i), ([source]) => source.length <= 253 + 1), (0, combinator_1.verify)((0, source_1.str)(new RegExp([/^(?=[0-9]{0,127}_?(?:[^\d\p{C}\p{S}\p{P}\s]|emoji))/u.source, /(?:[^\p{C}\p{S}\p{P}\s]|emoji|_(?=[^\p{C}\p{S}\p{P}\s]|emoji)){1,128}/u.source, /(?!_?(?:[^\p{C}\p{S}\p{P}\s]|emoji)|')/u.source].join('').replace(/emoji/g, exports.emoji), 'u')), ([source]) => source.length <= 128)]))), (0, combinator_1.convert)(source => `[${source}]{ ${source.includes('/') ? `https://${source.slice(1).replace('/', '/hashtags/')}` : `/hashtags/${source.slice(1)}`} }`, (0, combinator_1.union)([link_1.unsafelink]))), ([el]) => [(0, dom_1.define)(el, {
   class: 'hashtag'
 }, el.innerText)]));
 
@@ -6931,17 +6931,6 @@ const textlink = (0, combinator_1.lazy)(() => (0, combinator_1.constraint)(8
 , 2, 10, 254
 /* State.linkable */
 , (0, combinator_1.bind)((0, combinator_1.reverse)((0, combinator_1.tails)([(0, combinator_1.dup)((0, combinator_1.surround)('[', (0, combinator_1.some)((0, combinator_1.union)([inline_1.inline]), ']', [[/^\\?\n/, 9], [']', 2]]), ']', true)), (0, combinator_1.dup)((0, combinator_1.surround)(/^{(?![{}])/, (0, combinator_1.inits)([exports.uri, (0, combinator_1.some)(exports.option)]), /^[^\S\n]*}/))])), ([params, content = []], rest, context) => {
-  if (content.length !== 0 && (0, visibility_1.trimNode)(content).length === 0) return;
-
-  for (let source = (0, util_1.stringify)(content); source;) {
-    const result = autolink({
-      source,
-      context
-    });
-    if (typeof (0, parser_1.eval)(result, [])[0] === 'object') return;
-    source = (0, parser_1.exec)(result, '');
-  }
-
   return parse(content, params, rest, context);
 }))));
 const medialink = (0, combinator_1.lazy)(() => (0, combinator_1.constraint)(8
@@ -6965,8 +6954,37 @@ const autolink = (0, combinator_1.state)(2
 , autolink_1.autolink));
 
 function parse(content, params, rest, context) {
+  if (content.length !== 0 && (0, visibility_1.trimNode)(content).length === 0) return;
+  content = (0, dom_1.defrag)(content);
+
+  for (let source = (0, util_1.stringify)(content); source;) {
+    if (/^[a-z][0-9a-z]*(?:[-.][0-9a-z]+)*:\/\/[^/?#]/i.test(source)) return;
+    const result = autolink({
+      source,
+      context
+    });
+    if (typeof (0, parser_1.eval)(result, [])[0] === 'object') return;
+    source = (0, parser_1.exec)(result, '');
+  }
+
   const INSECURE_URI = params.shift();
-  const el = elem(INSECURE_URI, (0, dom_1.defrag)(content), new url_1.ReadonlyURL(resolve(INSECURE_URI, context.host ?? global_1.location, context.url ?? context.host ?? global_1.location), context.host?.href || global_1.location.href), context.host?.origin || global_1.location.origin);
+  const uri = new url_1.ReadonlyURL(resolve(INSECURE_URI, context.host ?? global_1.location, context.url ?? context.host ?? global_1.location), context.host?.href || global_1.location.href);
+
+  switch (uri.protocol) {
+    case 'tel:':
+      {
+        const tel = content.length === 0 ? INSECURE_URI : content[0];
+        const pattern = /^(?:tel:)?(?:\+(?!0))?\d+(?:-\d+)*$/i;
+
+        if (content.length <= 1 && typeof tel === 'string' && pattern.test(tel) && pattern.test(INSECURE_URI) && tel.replace(/[^+\d]/g, '') === INSECURE_URI.replace(/[^+\d]/g, '')) {
+          break;
+        }
+
+        return;
+      }
+  }
+
+  const el = elem(INSECURE_URI, content, uri, context.host?.origin || global_1.location.origin);
   if (el.className === 'invalid') return [[el], rest];
   return [[(0, dom_1.define)(el, (0, html_1.attributes)('link', [], optspec, params))], rest];
 }
@@ -6991,23 +7009,10 @@ function elem(INSECURE_URI, content, uri, origin) {
       }, content.length === 0 ? decode(INSECURE_URI) : content);
 
     case 'tel:':
-      if (content.length === 0) {
-        content = [INSECURE_URI];
-      }
-
-      const pattern = /^(?:tel:)?(?:\+(?!0))?\d+(?:-\d+)*$/i;
-
-      switch (true) {
-        case content.length === 1 && typeof content[0] === 'string' && pattern.test(INSECURE_URI) && pattern.test(content[0]) && INSECURE_URI.replace(/[^+\d]/g, '') === content[0].replace(/[^+\d]/g, ''):
-          return (0, dom_1.html)('a', {
-            class: 'tel',
-            href: uri.source
-          }, content);
-      }
-
-      type = 'content';
-      message = 'Invalid phone number';
-      break;
+      return (0, dom_1.html)('a', {
+        class: 'tel',
+        href: uri.source
+      }, content.length === 0 ? [INSECURE_URI] : content);
   }
 
   return (0, dom_1.html)('a', {
@@ -7023,7 +7028,7 @@ function resolve(uri, host, source) {
     case uri.slice(0, 2) === '^/':
       const last = host.pathname.slice(host.pathname.lastIndexOf('/') + 1);
       return last.includes('.') // isFile
-      && /^[0-9]*[A-Za-z][0-9A-Za-z]*$/.test(last.slice(last.lastIndexOf('.') + 1)) ? `${host.pathname.slice(0, -last.length)}${uri.slice(2)}` : `${host.pathname.replace(/\/?$/, '/')}${uri.slice(2)}`;
+      && /^[0-9]*[a-z][0-9a-z]*$/i.test(last.slice(last.lastIndexOf('.') + 1)) ? `${host.pathname.slice(0, -last.length)}${uri.slice(2)}` : `${host.pathname.replace(/\/?$/, '/')}${uri.slice(2)}`;
 
     case host.origin === source.origin && host.pathname === source.pathname:
     case uri.slice(0, 2) === '//':
@@ -7039,9 +7044,16 @@ exports.resolve = resolve;
 
 function decode(uri) {
   if (!uri.includes('%')) return uri;
+  const origin = uri.match(/^[a-z](?:[-.](?=\w)|[0-9a-z])*:\/\/[^/?#]*/i)?.[0] ?? '';
 
   try {
-    uri = (0, global_1.decodeURI)(uri);
+    let path = (0, global_1.decodeURI)(uri.slice(origin.length));
+
+    if (!origin && /^[a-z](?:[-.](?=\w)|[0-9a-z])*:\/\/[^/?#]/i.test(path)) {
+      path = uri.slice(origin.length);
+    }
+
+    uri = origin + path;
   } finally {
     return uri.replace(/\s+/g, global_1.encodeURI);
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securemark",
-  "version": "0.260.2",
+  "version": "0.260.3",
   "description": "Secure markdown renderer working on browsers for user input data.",
   "private": false,
   "homepage": "https://github.com/falsandtru/securemark",
@@ -34,11 +34,11 @@
     "@types/mocha": "9.1.1",
     "@types/power-assert": "1.5.8",
     "@types/prismjs": "1.26.0",
-    "@typescript-eslint/parser": "^5.29.0",
+    "@typescript-eslint/parser": "^5.30.7",
     "babel-loader": "^8.2.5",
     "babel-plugin-unassert": "^3.2.0",
-    "concurrently": "^7.2.2",
-    "eslint": "^8.18.0",
+    "concurrently": "^7.3.0",
+    "eslint": "^8.20.0",
     "eslint-plugin-redos": "^4.4.1",
     "eslint-webpack-plugin": "^3.2.0",
     "glob": "^8.0.3",
@@ -49,7 +49,7 @@
     "karma-mocha": "^2.0.1",
     "karma-power-assert": "^1.0.0",
     "mocha": "^10.0.0",
-    "npm-check-updates": "^14.1.1",
+    "npm-check-updates": "^15.3.4",
     "semver": "^7.3.7",
     "spica": "0.0.573",
     "ts-loader": "^9.3.1",

package/src/parser/inline/autolink/account.ts

@@ -13,11 +13,9 @@ export const account: AutolinkParser.AccountParser = lazy(() => fmap(rewrite(
     '@',
     tails([
       verify(
-        str(/^[0-9A-Za-z](?:(?:[0-9A-Za-z]|-(?=\w)){0,61}[0-9A-Za-z])?(?:\.[0-9A-Za-z](?:(?:[0-9A-Za-z]|-(?=\w)){0,61}[0-9A-Za-z])?)*\//),
+        str(/^[0-9a-z](?:(?:[0-9a-z]|-(?=\w)){0,61}[0-9a-z])?(?:\.[0-9a-z](?:(?:[0-9a-z]|-(?=\w)){0,61}[0-9a-z])?)*\//i),
         ([source]) => source.length <= 253 + 1),
-      verify(
-        str(/^[A-Za-z][0-9A-Za-z]*(?:-[0-9A-Za-z]+)*/),
-        ([source]) => source.length <= 64),
+      str(/^[a-z](?:-(?=[0-9a-z])|[0-9a-z]){0,63}/i),
     ]))),
   convert(
     source =>

package/src/parser/inline/autolink/anchor.ts

@@ -16,7 +16,7 @@ import { define } from 'typed-dom/dom';
 export const anchor: AutolinkParser.AnchorParser = lazy(() => validate('>>', fmap(
   constraint(State.shortcut, false,
   focus(
-    /^>>(?:[A-Za-z][0-9A-Za-z]*(?:-[0-9A-Za-z]+)*\/)?[0-9A-Za-z]+(?:-[0-9A-Za-z]+)*(?![0-9A-Za-z@#:])/,
+    /^>>(?:[a-z][0-9a-z]*(?:-[0-9a-z]+)*\/)?[0-9a-z]+(?:-[0-9a-z]+)*(?![0-9a-z@#:])/i,
     convert(
       source =>
         `[${source}]{ ${

package/src/parser/inline/autolink/email.test.ts

@@ -21,6 +21,7 @@ describe('Unit: parser/inline/autolink/email', () => {
       assert.deepStrictEqual(inspect(parser('a@@')), [['a@@'], '']);
       assert.deepStrictEqual(inspect(parser('a@@b')), [['a@@b'], '']);
       assert.deepStrictEqual(inspect(parser('a+@b')), [['a'], '+@b']);
+      assert.deepStrictEqual(inspect(parser('a__b@c')), [['a'], '__b@c']);
       assert.deepStrictEqual(inspect(parser('a..b@c')), [['a'], '..b@c']);
       assert.deepStrictEqual(inspect(parser('a++b@c')), [['a'], '++b@c']);
       assert.deepStrictEqual(inspect(parser(`a@${'b'.repeat(64)}`)), [[`a@${'b'.repeat(64)}`], '']);

package/src/parser/inline/autolink/email.ts

@@ -6,6 +6,6 @@ import { html } from 'typed-dom/dom';
 // https://html.spec.whatwg.org/multipage/input.html
 
 export const email: AutolinkParser.EmailParser = creation(rewrite(verify(
-  str(/^[0-9A-Za-z]+(?:[.+_-][0-9A-Za-z]+)*@[0-9A-Za-z](?:(?:[0-9A-Za-z]|-(?=\w)){0,61}[0-9A-Za-z])?(?:\.[0-9A-Za-z](?:(?:[0-9A-Za-z]|-(?=\w)){0,61}[0-9A-Za-z])?)*(?![0-9A-Za-z])/),
-  ([source]) => source.indexOf('@') <= 64 && source.length <= 255),
+  str(/^[0-9a-z](?:[.+_-](?=[^\W_])|[0-9a-z]){0,255}@[0-9a-z](?:(?:[0-9a-z]|-(?=\w)){0,61}[0-9a-z])?(?:\.[0-9a-z](?:(?:[0-9a-z]|-(?=\w)){0,61}[0-9a-z])?)*(?![0-9a-z])/i),
+  ([source]) => source.length <= 255),
   ({ source }) => [[html('a', { class: 'email', href: `mailto:${source}` }, source)], '']));

package/src/parser/inline/autolink/hashtag.ts

@@ -16,7 +16,7 @@ export const hashtag: AutolinkParser.HashtagParser = lazy(() => fmap(rewrite(
     '#',
     tails([
       verify(
-        str(/^[0-9A-Za-z](?:(?:[0-9A-Za-z]|-(?=\w)){0,61}[0-9A-Za-z])?(?:\.[0-9A-Za-z](?:(?:[0-9A-Za-z]|-(?=\w)){0,61}[0-9A-Za-z])?)*\//),
+        str(/^[0-9a-z](?:(?:[0-9a-z]|-(?=\w)){0,61}[0-9a-z])?(?:\.[0-9a-z](?:(?:[0-9a-z]|-(?=\w)){0,61}[0-9a-z])?)*\//i),
         ([source]) => source.length <= 253 + 1),
       verify(
         str(new RegExp([

package/src/parser/inline/autolink.ts

@@ -12,18 +12,18 @@ import { Syntax, State } from '../context';
 import { stringify } from '../util';
 
 export const autolink: AutolinkParser = fmap(
-  validate(/^(?:[@#>0-9A-Za-z]|\S[#>])/,
+  validate(/^(?:[@#>0-9a-z]|\S[#>])/i,
   constraint(State.autolink, false,
   syntax(Syntax.autolink, 1, 1, State.none,
   some(union([
     url,
     email,
     // Escape unmatched email-like strings.
-    str(/^[0-9A-Za-z]+(?:[.+_-][0-9A-Za-z]+)*(?:@(?:[0-9A-Za-z]+(?:[.-][0-9A-Za-z]+)*)?)*/),
+    str(/^[0-9a-z]+(?:[.+_-][0-9a-z]+)*(?:@(?:[0-9a-z]+(?:[.-][0-9a-z]+)*)?)*/i),
     channel,
     account,
     // Escape unmatched account-like strings.
-    str(/^@+[0-9A-Za-z]*(?:-[0-9A-Za-z]+)*/),
+    str(/^@+[0-9a-z]*(?:-[0-9a-z]+)*/i),
     // Escape invalid leading characters.
     str(new RegExp(/^(?:[^\p{C}\p{S}\p{P}\s]|emoji|['_])(?=#)/u.source.replace('emoji', emoji), 'u')),
     hashtag,

package/src/parser/inline/link.test.ts

@@ -25,11 +25,16 @@ describe('Unit: parser/inline/link', () => {
       assert.deepStrictEqual(inspect(parser('[https://host]{http://host}')), undefined);
       assert.deepStrictEqual(inspect(parser('[[]{http://host}.com]{http://host}')), undefined);
       assert.deepStrictEqual(inspect(parser('[[]{http://host/a}b]{http://host/ab}')), undefined);
-      assert.deepStrictEqual(inspect(parser('[0987654321]{tel:1234567890}')), [['<a class="invalid">0987654321</a>'], '']);
-      assert.deepStrictEqual(inspect(parser('[1234567890-]{tel:1234567890}')), [[`<a class="invalid">1234567890-</a>`], '']);
-      assert.deepStrictEqual(inspect(parser('[-1234567890]{tel:1234567890}')), [[`<a class="invalid">-1234567890</a>`], '']);
-      assert.deepStrictEqual(inspect(parser('[123456789a]{tel:1234567890}')), [['<a class="invalid">123456789a</a>'], '']);
-      assert.deepStrictEqual(inspect(parser('[1234567890]{tel:ttel:1234567890}')), [['<a class="invalid">1234567890</a>'], '']);
+      assert.deepStrictEqual(inspect(parser('{http%73://host}')), [['<a class="url" href="http%73://host">http%73://host</a>'], '']);
+      assert.deepStrictEqual(inspect(parser('{http://a%C3%A1}')), [['<a class="url" href="http://a%C3%A1" target="_blank">http://a%C3%A1</a>'], '']);
+      assert.deepStrictEqual(inspect(parser('[http://á]{http://evil}')), undefined);
+      assert.deepStrictEqual(inspect(parser('[xxx://á]{http://evil}')), undefined);
+      assert.deepStrictEqual(inspect(parser('[.http://á]{http://evil}')), undefined);
+      assert.deepStrictEqual(inspect(parser('[0987654321]{tel:1234567890}')), undefined);
+      assert.deepStrictEqual(inspect(parser('[1234567890-]{tel:1234567890}')), undefined);
+      assert.deepStrictEqual(inspect(parser('[-1234567890]{tel:1234567890}')), undefined);
+      assert.deepStrictEqual(inspect(parser('[123456789a]{tel:1234567890}')), undefined);
+      assert.deepStrictEqual(inspect(parser('[1234567890]{tel:ttel:1234567890}')), undefined);
       //assert.deepStrictEqual(inspect(parser('[#a]{b}')), undefined);
       //assert.deepStrictEqual(inspect(parser('[\\#a]{b}')), undefined);
       //assert.deepStrictEqual(inspect(parser('[c #a]{b}')), undefined);

package/src/parser/inline/link.ts

@@ -36,12 +36,6 @@ const textlink: LinkParser.TextLinkParser = lazy(() =>
   ])),
   ([params, content = []]: [string[], (HTMLElement | string)[]], rest, context) => {
     assert(!html('div', content).querySelector('a, .media, .annotation, .reference'));
-    if (content.length !== 0 && trimNode(content).length === 0) return;
-    for (let source = stringify(content); source;) {
-      const result = autolink({ source, context });
-      if (typeof eval(result, [])[0] === 'object') return;
-      source = exec(result, '');
-    }
     return parse(content, params, rest, context);
   }))));
 
@@ -91,15 +85,40 @@ function parse(
 ): Result<HTMLAnchorElement, MarkdownParser.Context> {
   assert(params.length > 0);
   assert(params.every(p => typeof p === 'string'));
+  if (content.length !== 0 && trimNode(content).length === 0) return;
+  content = defrag(content);
+  for (let source = stringify(content); source;) {
+    if (/^[a-z][0-9a-z]*(?:[-.][0-9a-z]+)*:\/\/[^/?#]/i.test(source)) return;
+    const result = autolink({ source, context });
+    if (typeof eval(result, [])[0] === 'object') return;
+    source = exec(result, '');
+  }
   const INSECURE_URI = params.shift()!;
   assert(INSECURE_URI === INSECURE_URI.trim());
   assert(!INSECURE_URI.match(/\s/));
+  const uri = new ReadonlyURL(
+    resolve(INSECURE_URI, context.host ?? location, context.url ?? context.host ?? location),
+    context.host?.href || location.href);
+  switch (uri.protocol) {
+    case 'tel:': {
+      const tel = content.length === 0
+        ? INSECURE_URI
+        : content[0];
+      const pattern = /^(?:tel:)?(?:\+(?!0))?\d+(?:-\d+)*$/i;
+      if (content.length <= 1 &&
+          typeof tel === 'string' &&
+          pattern.test(tel) &&
+          pattern.test(INSECURE_URI) &&
+          tel.replace(/[^+\d]/g, '') === INSECURE_URI.replace(/[^+\d]/g, '')) {
+        break;
+      }
+      return;
+    }
+  }
   const el = elem(
     INSECURE_URI,
-    defrag(content),
-    new ReadonlyURL(
-      resolve(INSECURE_URI, context.host ?? location, context.url ?? context.host ?? location),
-      context.host?.href || location.href),
+    content,
+    uri,
     context.host?.origin || location.origin);
   if (el.className === 'invalid') return [[el], rest];
   return [[define(el, attributes('link', [], optspec, params))], rest];
@@ -137,21 +156,15 @@ function elem(
           ? decode(INSECURE_URI)
           : content);
     case 'tel:':
-      if (content.length === 0) {
-        content = [INSECURE_URI];
-      }
-      const pattern = /^(?:tel:)?(?:\+(?!0))?\d+(?:-\d+)*$/i;
-      switch (true) {
-        case content.length === 1
-          && typeof content[0] === 'string'
-          && pattern.test(INSECURE_URI)
-          && pattern.test(content[0])
-          && INSECURE_URI.replace(/[^+\d]/g, '') === content[0].replace(/[^+\d]/g, ''):
-          return html('a', { class: 'tel', href: uri.source }, content);
-      }
-      type = 'content';
-      message = 'Invalid phone number';
-      break;
+      assert(content.length <= 1);
+      return html('a',
+        {
+          class: 'tel',
+          href: uri.source,
+        },
+        content.length === 0
+          ? [INSECURE_URI]
+          : content);
   }
   return html('a',
     {
@@ -172,7 +185,7 @@ export function resolve(uri: string, host: URL | Location, source: URL | Locatio
     case uri.slice(0, 2) === '^/':
       const last = host.pathname.slice(host.pathname.lastIndexOf('/') + 1);
       return last.includes('.') // isFile
-          && /^[0-9]*[A-Za-z][0-9A-Za-z]*$/.test(last.slice(last.lastIndexOf('.') + 1))
+          && /^[0-9]*[a-z][0-9a-z]*$/i.test(last.slice(last.lastIndexOf('.') + 1))
         ? `${host.pathname.slice(0, -last.length)}${uri.slice(2)}`
         : `${host.pathname.replace(/\/?$/, '/')}${uri.slice(2)}`;
     case host.origin === source.origin
@@ -189,8 +202,13 @@ export function resolve(uri: string, host: URL | Location, source: URL | Locatio
 
 function decode(uri: string): string {
   if (!uri.includes('%')) return uri;
+  const origin = uri.match(/^[a-z](?:[-.](?=\w)|[0-9a-z])*:\/\/[^/?#]*/i)?.[0] ?? '';
   try {
-    uri = decodeURI(uri);
+    let path = decodeURI(uri.slice(origin.length));
+    if (!origin && /^[a-z](?:[-.](?=\w)|[0-9a-z])*:\/\/[^/?#]/i.test(path)) {
+      path = uri.slice(origin.length);
+    }
+    uri = origin + path;
   }
   finally {
     return uri.replace(/\s+/g, encodeURI);