Public-Mirrors
/
markdown-it
mirror of https://github.com/markdown-it/markdown-it.git
1
0
Fork 0
Code Issues Releases Activity
Browse Source

Better error handling in link normalizer + more tests for edge cases

pull/14/head
Vitaly Puzrin 10 years ago
parent
d54ed887f4
commit
7f7260d021
4 changed files with 62 additions and 18 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 10
      lib/helpers/normalize_link.js
  2. 10
      lib/parser_inline.js
  3. 9
      test/fixtures/remarkable/commonmark_extras.txt
  4. 51
      test/fixtures/remarkable/xss.txt

10
lib/helpers/normalize_link.js
View File

@ -5,5 +5,13 @@ var replaceEntities = require('../common/utils').replaceEntities;
module.exports = function normalizeLink(url) {
return encodeURI(decodeURI(replaceEntities(url)));
var normalized = replaceEntities(url);
// We don't care much about result of mailformed URIs,
// but shoud not throw exception.
try {
normalized = decodeURI(normalized);
} catch (__) {}
return encodeURI(normalized);
};

10
lib/parser_inline.js
View File

@ -3,8 +3,9 @@
'use strict';
var Ruler = require('./ruler');
var StateInline = require('./rules_inline/state_inline');
var Ruler = require('./ruler');
var StateInline = require('./rules_inline/state_inline');
var replaceEntities = require('./common/utils').replaceEntities;
////////////////////////////////////////////////////////////////////////////////
// Parser rules
@ -30,7 +31,10 @@ var _rules = [
var BAD_PROTOCOLS = [ 'vbscript', 'javascript', 'file' ];
function validateLink(url) {
var str = decodeURI(url).trim().toLowerCase();
var str = url.trim().toLowerCase();
// Care about digital entities "javascript:alert(1)"
str = replaceEntities(str);
if (str.indexOf(':') >= 0 && BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) {
return false;

9
test/fixtures/remarkable/commonmark_extras.txt
View File

@ -123,3 +123,12 @@ Autolinks do not allow escaping:
.
<p><a href="http://example.com/%5C%5B%5C">http://example.com/\[\</a></p>
.
Should not throw exception on mailformed URI
.
[foo](<&#x25;test>)
.
<p><a href="%25test">foo</a></p>
.

51
test/fixtures/remarkable/xss.txt
View File

@ -10,47 +10,70 @@ Should not allow some protocols in links and images
.
[xss link](javascript:alert(1))
[xss link](JAVASCRIPT:alert(1))
[xss link](vbscript:alert(1))
[xss link](VBSCRIPT:alert(1))
[xss link](file:///123)
.
<p>[xss link](javascript:alert(1))</p>
<p>[xss link](JAVASCRIPT:alert(1))</p>
<p>[xss link](vbscript:alert(1))</p>
<p>[xss link](VBSCRIPT:alert(1))</p>
<p>[xss link](file:///123)</p>
.
.
[xss link](JAVASCRIPT:alert(1))
[xss link](&#34;&#62;&#60;script&#62;alert&#40;&#34;xss&#34;&#41;&#60;/script&#62;)
.
<p>[xss link](JAVASCRIPT:alert(1))</p>
<p><a href="%22%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E">xss link</a></p>
.
.
[xss link](vbscript:alert(1))
[xss link](<javascript:alert(1)>)
.
<p>[xss link](vbscript:alert(1))</p>
<p>[xss link](&lt;javascript:alert(1)&gt;)</p>
.
.
[xss link](VBSCRIPT:alert(1))
[xss link](javascript&#x3A;alert(1))
.
<p>[xss link](VBSCRIPT:alert(1))</p>
<p>[xss link](javascript:alert(1))</p>
.
Image parser use the same code base.
.
[xss link](file:///123)
![xss link](javascript:alert(1))
.
<p>[xss link](file:///123)</p>
<p>![xss link](javascript:alert(1))</p>
.
Autolinks
.
[xss link](&#34;&#62;&#60;script&#62;alert&#40;&#34;xss&#34;&#41;&#60;/script&#62;)
<javascript&#x3A;alert(1)>
<javascript:alert(1)>
.
<p><a href="%22%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E">xss link</a></p>
<p>&lt;javascript:alert(1)&gt;</p>
<p>&lt;javascript:alert(1)&gt;</p>
.
Image parser use the same code base.
Linkifier
.
![xss link](javascript:alert(1))
javascript&#x3A;alert(1)
javascript:alert(1)
.
<p>![xss link](javascript:alert(1))</p>
<p>javascript:alert(1)</p>
<p>javascript:alert(1)</p>
.

Write Preview
Loading…
Cancel
Save