diff --git a/app/assets/javascripts/discourse/dialects/anchor_dialect.js b/app/assets/javascripts/discourse/dialects/anchor_dialect.js
new file mode 100644
index 00000000000..a637624177c
--- /dev/null
+++ b/app/assets/javascripts/discourse/dialects/anchor_dialect.js
@@ -0,0 +1,13 @@
+// prevent XSS
+Discourse.Dialect.on('parseNode', function (event) {
+  var node = event.node;
+
+  if (node[0] === 'a') {
+    var attributes = node[1];
+    if (attributes["href"]) {
+      if (!Discourse.Markdown.urlAllowed(attributes["href"])) {
+        delete attributes["href"];
+      }
+    }
+  }
+});
diff --git a/test/javascripts/lib/markdown_test.js b/test/javascripts/lib/markdown_test.js
index 74f1237b7d9..ec18c80a2d1 100644
--- a/test/javascripts/lib/markdown_test.js
+++ b/test/javascripts/lib/markdown_test.js
@@ -352,6 +352,8 @@ test("sanitize", function() {
   equal(sanitize("<textarea>hullo</textarea>"), "hullo");
   equal(sanitize("<button>press me!</button>"), "press me!");
   equal(sanitize("<canvas>draw me!</canvas>"), "draw me!");
+
+  cooked("[the answer](javascript:alert(42))", "<p><a>the answer</a></p>", "it prevents XSS");
 });
 
 test("URLs in BBCode tags", function() {