Browse Source

validateLink: expand entities before trimming and lowercasing

pull/47/head
opennota 10 years ago
parent
commit
7da4d5e81b
  1. 6
      lib/parser_inline.js
  2. 7
      test/fixtures/markdown-it/xss.txt

6
lib/parser_inline.js

@ -30,10 +30,10 @@ var _rules = [
var BAD_PROTOCOLS = [ 'vbscript', 'javascript', 'file' ];
function validateLink(url) {
var str = url.trim().toLowerCase();
// Care about digital entities "javascript:alert(1)"
str = replaceEntities(str);
var str = replaceEntities(url);
str = str.trim().toLowerCase();
if (str.indexOf(':') >= 0 && BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) {
return false;

7
test/fixtures/markdown-it/xss.txt

@ -29,8 +29,15 @@ Should not allow some protocols in links and images
.
[xss link]("><script>alert("xss")</script>)
[xss link](Javascript:alert(1))
[xss link](Javascript:alert(1))
.
<p><a href="%22%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E">xss link</a></p>
<p>[xss link](Javascript:alert(1))</p>
<p>[xss link](&amp;#74;avascript:alert(1))</p>
.
.

Loading…
Cancel
Save