Patch taken from Debian (via upstream pull request that is still pending)

http://sources.debian.net/src/ruby-redcloth/4.2.9-4/debian/patches/0001-Filter-out-javascript-links-when-using-filter_html-o.patch/
https://github.com/jgarber/redcloth/pull/20/commits

From b3d82f0c3a354a2f589e1fd43f5f1d7e427b530e Mon Sep 17 00:00:00 2001
From: Antonio Terceiro <terceiro@debian.org>
Date: Sat, 7 Feb 2015 23:27:39 -0200
Subject: [PATCH] Filter out 'javascript:' links when using filter_html or
 sanitize_html

This is a fix for CVE-2012-6684
---
 lib/redcloth/formatters/html.rb     |  6 +++++-
 spec/security/CVE-2012-6684_spec.rb | 14 ++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 spec/security/CVE-2012-6684_spec.rb

diff --git a/lib/redcloth/formatters/html.rb b/lib/redcloth/formatters/html.rb
index bfadfb7..b8793b2 100644
--- a/lib/redcloth/formatters/html.rb
+++ b/lib/redcloth/formatters/html.rb
@@ -111,7 +111,11 @@ module RedCloth::Formatters::HTML
   end
   
   def link(opts)
-    "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>"
+    if (filter_html || sanitize_html) && opts[:href] =~ /^\s*javascript:/
+      opts[:name]
+    else
+      "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>"
+    end
   end
   
   def image(opts)
diff --git a/spec/security/CVE-2012-6684_spec.rb b/spec/security/CVE-2012-6684_spec.rb
new file mode 100644
index 0000000..05219fd
--- /dev/null
+++ b/spec/security/CVE-2012-6684_spec.rb
@@ -0,0 +1,14 @@
+# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6684
+
+require 'redcloth'
+
+describe 'CVE-2012-6684' do
+
+  it 'should not let javascript links pass through' do
+    # PoC from http://co3k.org/blog/redcloth-unfixed-xss-en
+    output = RedCloth.new('["clickme":javascript:alert(%27XSS%27)]', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
+    expect(output).to_not match(/href=.javascript:alert/)
+  end
+
+
+end
-- 
2.1.4