diff --git a/CHANGELOG.textile b/CHANGELOG.textile
index 22adbe8..41f6cdd 100644
--- a/CHANGELOG.textile
+++ b/CHANGELOG.textile
@@ -4,6 +4,9 @@ Here's a summary of changes in each release. The list doesn't include some small
h2. Version 4.1.3 - upcoming
+* This is a security update, which fixes stored XSS vulnerability in image link handing.
+* Fixed: In restricted mode, restrict image link protocol. Previously and an image link's href allowed all protocols in restricted mode. Now it goes through the same validation as text links.
+
h2. "Version 4.1.2 - 2024/08/29":https://github.com/textile/php-textile/releases/tag/v4.1.2
* Fix PHP 8.4 compatibility issues (closes "#227":https://github.com/textile/php-textile/issues/227).
diff --git a/src/Netcarver/Textile/Parser.php b/src/Netcarver/Textile/Parser.php
index c670615..f8ae92a 100644
--- a/src/Netcarver/Textile/Parser.php
+++ b/src/Netcarver/Textile/Parser.php
@@ -4719,6 +4719,10 @@ protected function fImage($m)
$title = (isset($m['title'])) ? $m['title'] : '';
$href = (isset($m['href'])) ? $m['href'] : '';
+ if ($href && !$this->isValidUrl($href)) {
+ return $m[0];
+ }
+
$alignments = array(
'<' => 'left',
'=' => 'center',
diff --git a/test/fixtures/GHSA-95m2-chm4-mq7m.yaml b/test/fixtures/GHSA-95m2-chm4-mq7m.yaml
new file mode 100644
index 0000000..fc91e87
--- /dev/null
+++ b/test/fixtures/GHSA-95m2-chm4-mq7m.yaml
@@ -0,0 +1,11 @@
+In restricted mode, restrict protocol for image links too like it was already done for text links:
+ setup:
+ - setRestricted: true
+ input: |
+ !securing.pl(Click Tu)!:javascript:document.innerHTML=''+document.cookie)
+
+ "securing.pl(Click Tu)":javascript:document.innerHTML=''+document.cookie)
+ expect : |
+ !securing.pl(Click Tu)!:javascript:document.innerHTML=’<script>alert(1);</script>’+document.cookie)
+
+ “securing.pl(Click Tu)”:javascript:document.innerHTML=’<script>alert(1);</script>’+document.cookie)