Browse Source

more fixes in link protocols check

pull/14/head
Vitaly Puzrin 10 years ago
parent
commit
0d22001900
  1. 4
      lib/parser_inline.js
  2. 15
      test/fixtures/remarkable/xss.txt

4
lib/parser_inline.js

@ -25,7 +25,7 @@ rules.push(require('./rules_inline/htmltag'));
rules.push(require('./rules_inline/entity'));
rules.push(require('./rules_inline/escape_html_char'));
var BAD_PROTOCOLS = [ 'vbscript', 'javascript' ];
var BAD_PROTOCOLS = [ 'vbscript', 'javascript', 'file' ];
function validateLink(url) {
var str = '';
@ -36,7 +36,7 @@ function validateLink(url) {
if (!str) { return false; }
if (BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) {
if (str.indexOf(':') >= 0 && BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) {
return false;
}
return true;

15
test/fixtures/remarkable/xss.txt

@ -1,3 +1,11 @@
.
[normal link](javascript)
.
<p><a href="javascript">normal link</a></p>
.
Should not allow some protocols in links and images
.
@ -24,6 +32,13 @@ Should not allow some protocols in links and images
<p>[xss link](VBSCRIPT:alert(1))</p>
.
.
[xss link](file:///123)
.
<p>[xss link](file:///123)</p>
.
.
[xss link](&#34;&#62;&#60;script&#62;alert&#40;&#34;xss&#34;&#41;&#60;/script&#62;)
.

Loading…
Cancel
Save