added tel number handling for links

dist/xss.js

@@ -159,6 +159,7 @@ function safeAttrValue (tag, name, value, cssFilter) {
     if (!(value.substr(0, 7) === 'http://' ||
          value.substr(0, 8) === 'https://' ||
          value.substr(0, 7) === 'mailto:' ||
+         value.substr(0, 4) === 'tel:' ||
          value[0] === '#' ||
          value[0] === '/')) {
       return '';

lib/default.js

@@ -158,6 +158,7 @@ function safeAttrValue (tag, name, value, cssFilter) {
     if (!(value.substr(0, 7) === 'http://' ||
          value.substr(0, 8) === 'https://' ||
          value.substr(0, 7) === 'mailto:' ||
+         value.substr(0, 4) === 'tel:' ||
          value[0] === '#' ||
          value[0] === '/')) {
       return '';

test/test_xss.js

@@ -209,6 +209,7 @@ describe('test XSS', function () {
     assert.equal(xss('<a href="http://aa.com">'), '<a href="http://aa.com">');
     assert.equal(xss('<a href="https://aa.com">'), '<a href="https://aa.com">');
     assert.equal(xss('<a href="mailto:me@ucdok.com">'), '<a href="mailto:me@ucdok.com">');
+    assert.equal(xss('<a href="tel:0123456789">'), '<a href="tel:0123456789">');
     assert.equal(xss('<a href="#hello">'), '<a href="#hello">');
     assert.equal(xss('<a href="other">'), '<a href>');