Remove replaceEntities from validateLink

Entities will usually be replaced with unescapeAll before they go through the validator.
10 years ago · 2a66fb8fbf
2 changed files with 7 additions and 6 deletions
--- a/lib/index.js
+++ b/lib/index.js
@ -21,14 +21,12 @@ var config = {
 };
 var replaceEntities = require('./common/utils').replaceEntities;
 var BAD_PROTOCOLS   = [ 'vbscript', 'javascript', 'file' ];
 function validateLink(url) {
-  // Care about digital entities "javascript&#x3A;alert(1)"
+  // url should be normalized at this point, and existing entities are decoded
-  var str = replaceEntities(url);
+  //
-
+  var str = url.trim().toLowerCase();
  str = str.trim().toLowerCase();
  if (str.indexOf(':') >= 0 && BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) {
    return false;
--- a/test/fixtures/markdown-it/xss.txt
+++ b/test/fixtures/markdown-it/xss.txt
@ -31,10 +31,13 @@ Should not allow some protocols in links and images
 [xss link](&#74;avascript:alert(1))
 [xss link](&#x26;#74;avascript:alert(1))
 [xss link](\&#74;avascript:alert(1))
 .
 <p><a href="%22%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E">xss link</a></p>
 <p>[xss link](Javascript:alert(1))</p>
-<p>[xss link](&amp;#74;avascript:alert(1))</p>
+<p><a href="&amp;#74;avascript:alert(1)">xss link</a></p>
 <p><a href="&amp;#74;avascript:alert(1)">xss link</a></p>
 .
 .