Browse Source

Better error handling in link normalizer + more tests for edge cases

pull/14/head
Vitaly Puzrin 10 years ago
parent
commit
7f7260d021
  1. 10
      lib/helpers/normalize_link.js
  2. 6
      lib/parser_inline.js
  3. 9
      test/fixtures/remarkable/commonmark_extras.txt
  4. 51
      test/fixtures/remarkable/xss.txt

10
lib/helpers/normalize_link.js

@ -5,5 +5,13 @@ var replaceEntities = require('../common/utils').replaceEntities;
module.exports = function normalizeLink(url) {
return encodeURI(decodeURI(replaceEntities(url)));
var normalized = replaceEntities(url);
// We don't care much about result of mailformed URIs,
// but shoud not throw exception.
try {
normalized = decodeURI(normalized);
} catch (__) {}
return encodeURI(normalized);
};

6
lib/parser_inline.js

@ -5,6 +5,7 @@
var Ruler = require('./ruler');
var StateInline = require('./rules_inline/state_inline');
var replaceEntities = require('./common/utils').replaceEntities;
////////////////////////////////////////////////////////////////////////////////
// Parser rules
@ -30,7 +31,10 @@ var _rules = [
var BAD_PROTOCOLS = [ 'vbscript', 'javascript', 'file' ];
function validateLink(url) {
var str = decodeURI(url).trim().toLowerCase();
var str = url.trim().toLowerCase();
// Care about digital entities "javascript:alert(1)"
str = replaceEntities(str);
if (str.indexOf(':') >= 0 && BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) {
return false;

9
test/fixtures/remarkable/commonmark_extras.txt

@ -123,3 +123,12 @@ Autolinks do not allow escaping:
.
<p><a href="http://example.com/%5C%5B%5C">http://example.com/\[\</a></p>
.
Should not throw exception on mailformed URI
.
[foo](<&#x25;test>)
.
<p><a href="%25test">foo</a></p>
.

51
test/fixtures/remarkable/xss.txt

@ -10,47 +10,70 @@ Should not allow some protocols in links and images
.
[xss link](javascript:alert(1))
[xss link](JAVASCRIPT:alert(1))
[xss link](vbscript:alert(1))
[xss link](VBSCRIPT:alert(1))
[xss link](file:///123)
.
<p>[xss link](javascript:alert(1))</p>
<p>[xss link](JAVASCRIPT:alert(1))</p>
<p>[xss link](vbscript:alert(1))</p>
<p>[xss link](VBSCRIPT:alert(1))</p>
<p>[xss link](file:///123)</p>
.
.
[xss link](JAVASCRIPT:alert(1))
[xss link](&#34;&#62;&#60;script&#62;alert&#40;&#34;xss&#34;&#41;&#60;/script&#62;)
.
<p>[xss link](JAVASCRIPT:alert(1))</p>
<p><a href="%22%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E">xss link</a></p>
.
.
[xss link](vbscript:alert(1))
[xss link](<javascript:alert(1)>)
.
<p>[xss link](vbscript:alert(1))</p>
<p>[xss link](&lt;javascript:alert(1)&gt;)</p>
.
.
[xss link](VBSCRIPT:alert(1))
[xss link](javascript&#x3A;alert(1))
.
<p>[xss link](VBSCRIPT:alert(1))</p>
<p>[xss link](javascript:alert(1))</p>
.
Image parser use the same code base.
.
[xss link](file:///123)
![xss link](javascript:alert(1))
.
<p>[xss link](file:///123)</p>
<p>![xss link](javascript:alert(1))</p>
.
Autolinks
.
[xss link](&#34;&#62;&#60;script&#62;alert&#40;&#34;xss&#34;&#41;&#60;/script&#62;)
<javascript&#x3A;alert(1)>
<javascript:alert(1)>
.
<p><a href="%22%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E">xss link</a></p>
<p>&lt;javascript:alert(1)&gt;</p>
<p>&lt;javascript:alert(1)&gt;</p>
.
Image parser use the same code base.
Linkifier
.
![xss link](javascript:alert(1))
javascript&#x3A;alert(1)
javascript:alert(1)
.
<p>![xss link](javascript:alert(1))</p>
<p>javascript:alert(1)</p>
<p>javascript:alert(1)</p>
.

Loading…
Cancel
Save