Public-Mirrors
/
markdown-it
mirror of https://github.com/markdown-it/markdown-it.git
1
0
Fork 0
Code Issues Releases Activity
Browse Source

Remove replaceEntities from validateLink 

Entities will usually be replaced with unescapeAll before they
go through the validator.
pull/82/head
Alex Kocharin 10 years ago
parent
7037ee34ad
commit
2a66fb8fbf
2 changed files with 7 additions and 6 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      lib/index.js
  2. 5
      test/fixtures/markdown-it/xss.txt

8
lib/index.js
View File

@ -21,14 +21,12 @@ var config = {
};
var replaceEntities = require('./common/utils').replaceEntities;
var BAD_PROTOCOLS = [ 'vbscript', 'javascript', 'file' ];
function validateLink(url) {
// Care about digital entities "javascript:alert(1)"
var str = replaceEntities(url);
str = str.trim().toLowerCase();
// url should be normalized at this point, and existing entities are decoded
//
var str = url.trim().toLowerCase();
if (str.indexOf(':') >= 0 && BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) {
return false;

5
test/fixtures/markdown-it/xss.txt
View File

@ -31,10 +31,13 @@ Should not allow some protocols in links and images
[xss link](Javascript:alert(1))
[xss link](Javascript:alert(1))
[xss link](\Javascript:alert(1))
.
<p><a href="%22%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E">xss link</a></p>
<p>[xss link](Javascript:alert(1))</p>
<p>[xss link](&amp;#74;avascript:alert(1))</p>
<p><a href="&amp;#74;avascript:alert(1)">xss link</a></p>
<p><a href="&amp;#74;avascript:alert(1)">xss link</a></p>
.
.

Write Preview
Loading…
Cancel
Save