Browse Source

Better error handling in link normalizer + more tests for edge cases

pull/14/head
Vitaly Puzrin 10 years ago
parent
commit
7f7260d021
  1. 10
      lib/helpers/normalize_link.js
  2. 6
      lib/parser_inline.js
  3. 9
      test/fixtures/remarkable/commonmark_extras.txt
  4. 51
      test/fixtures/remarkable/xss.txt

10
lib/helpers/normalize_link.js

@ -5,5 +5,13 @@ var replaceEntities = require('../common/utils').replaceEntities;
module.exports = function normalizeLink(url) { module.exports = function normalizeLink(url) {
return encodeURI(decodeURI(replaceEntities(url))); var normalized = replaceEntities(url);
// We don't care much about result of mailformed URIs,
// but shoud not throw exception.
try {
normalized = decodeURI(normalized);
} catch (__) {}
return encodeURI(normalized);
}; };

6
lib/parser_inline.js

@ -5,6 +5,7 @@
var Ruler = require('./ruler'); var Ruler = require('./ruler');
var StateInline = require('./rules_inline/state_inline'); var StateInline = require('./rules_inline/state_inline');
var replaceEntities = require('./common/utils').replaceEntities;
//////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////
// Parser rules // Parser rules
@ -30,7 +31,10 @@ var _rules = [
var BAD_PROTOCOLS = [ 'vbscript', 'javascript', 'file' ]; var BAD_PROTOCOLS = [ 'vbscript', 'javascript', 'file' ];
function validateLink(url) { function validateLink(url) {
var str = decodeURI(url).trim().toLowerCase(); var str = url.trim().toLowerCase();
// Care about digital entities "javascript:alert(1)"
str = replaceEntities(str);
if (str.indexOf(':') >= 0 && BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) { if (str.indexOf(':') >= 0 && BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) {
return false; return false;

9
test/fixtures/remarkable/commonmark_extras.txt

@ -123,3 +123,12 @@ Autolinks do not allow escaping:
. .
<p><a href="http://example.com/%5C%5B%5C">http://example.com/\[\</a></p> <p><a href="http://example.com/%5C%5B%5C">http://example.com/\[\</a></p>
. .
Should not throw exception on mailformed URI
.
[foo](<&#x25;test>)
.
<p><a href="%25test">foo</a></p>
.

51
test/fixtures/remarkable/xss.txt

@ -10,47 +10,70 @@ Should not allow some protocols in links and images
. .
[xss link](javascript:alert(1)) [xss link](javascript:alert(1))
[xss link](JAVASCRIPT:alert(1))
[xss link](vbscript:alert(1))
[xss link](VBSCRIPT:alert(1))
[xss link](file:///123)
. .
<p>[xss link](javascript:alert(1))</p> <p>[xss link](javascript:alert(1))</p>
<p>[xss link](JAVASCRIPT:alert(1))</p>
<p>[xss link](vbscript:alert(1))</p>
<p>[xss link](VBSCRIPT:alert(1))</p>
<p>[xss link](file:///123)</p>
. .
. .
[xss link](JAVASCRIPT:alert(1)) [xss link](&#34;&#62;&#60;script&#62;alert&#40;&#34;xss&#34;&#41;&#60;/script&#62;)
. .
<p>[xss link](JAVASCRIPT:alert(1))</p> <p><a href="%22%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E">xss link</a></p>
. .
. .
[xss link](vbscript:alert(1)) [xss link](<javascript:alert(1)>)
. .
<p>[xss link](vbscript:alert(1))</p> <p>[xss link](&lt;javascript:alert(1)&gt;)</p>
. .
. .
[xss link](VBSCRIPT:alert(1)) [xss link](javascript&#x3A;alert(1))
. .
<p>[xss link](VBSCRIPT:alert(1))</p> <p>[xss link](javascript:alert(1))</p>
. .
Image parser use the same code base.
. .
[xss link](file:///123) ![xss link](javascript:alert(1))
. .
<p>[xss link](file:///123)</p> <p>![xss link](javascript:alert(1))</p>
. .
Autolinks
. .
[xss link](&#34;&#62;&#60;script&#62;alert&#40;&#34;xss&#34;&#41;&#60;/script&#62;) <javascript&#x3A;alert(1)>
<javascript:alert(1)>
. .
<p><a href="%22%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E">xss link</a></p> <p>&lt;javascript:alert(1)&gt;</p>
<p>&lt;javascript:alert(1)&gt;</p>
. .
Image parser use the same code base. Linkifier
. .
![xss link](javascript:alert(1)) javascript&#x3A;alert(1)
javascript:alert(1)
. .
<p>![xss link](javascript:alert(1))</p> <p>javascript:alert(1)</p>
<p>javascript:alert(1)</p>
. .

Loading…
Cancel
Save