Public-Mirrors
/
markdown-it
mirror of https://github.com/markdown-it/markdown-it.git
1
0
Fork 0
Code Issues Releases Activity
Browse Source

more fixes in link protocols check

pull/14/head
Vitaly Puzrin 10 years ago
parent
d02fc8a32b
commit
0d22001900
2 changed files with 17 additions and 2 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      lib/parser_inline.js
  2. 15
      test/fixtures/remarkable/xss.txt

4
lib/parser_inline.js
View File

@ -25,7 +25,7 @@ rules.push(require('./rules_inline/htmltag'));
rules.push(require('./rules_inline/entity'));
rules.push(require('./rules_inline/escape_html_char'));
var BAD_PROTOCOLS = [ 'vbscript', 'javascript' ];
var BAD_PROTOCOLS = [ 'vbscript', 'javascript', 'file' ];
function validateLink(url) {
var str = '';
@ -36,7 +36,7 @@ function validateLink(url) {
if (!str) { return false; }
if (BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) {
if (str.indexOf(':') >= 0 && BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) {
return false;
}
return true;

15
test/fixtures/remarkable/xss.txt
View File

@ -1,3 +1,11 @@
.
[normal link](javascript)
.
<p><a href="javascript">normal link</a></p>
.
Should not allow some protocols in links and images
.
@ -24,6 +32,13 @@ Should not allow some protocols in links and images
<p>[xss link](VBSCRIPT:alert(1))</p>
.
.
[xss link](file:///123)
.
<p>[xss link](file:///123)</p>
.
.
[xss link](&#34;&#62;&#60;script&#62;alert&#40;&#34;xss&#34;&#41;&#60;/script&#62;)
.

Write Preview
Loading…
Cancel
Save