Public-Mirrors
/
markdown-it
mirror of https://github.com/markdown-it/markdown-it.git
1
0
Fork 0
Code Issues Releases Activity
Browse Source

Allowlist data:image/svg+xml

pull/769/head
William Wong 4 years ago
parent
041b7c7581
commit
9ade19968a
2 changed files with 28 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      lib/index.js
  2. 27
      test/misc.js

2
lib/index.js
View File

@ -30,7 +30,7 @@ var config = {
//
var BAD_PROTO_RE = /^(vbscript|javascript|file|data):/;
var GOOD_DATA_RE = /^data:image\/(gif|png|jpeg|webp);/;
var GOOD_DATA_RE = /^data:image\/(gif|png|jpeg|svg\+xml|webp);/;
function validateLink(url) {
// url should be normalized at this point, and existing entities are decoded

27
test/misc.js
View File

@ -294,6 +294,33 @@ describe('Links validation', function () {
assert.strictEqual(md.render('![test](http://example.com)'), '<p>![test](http://example.com)</p>\n');
});
it('default should allow common data:image/*', function () {
var md = markdownit();
assert.strictEqual(md.render('![test](data:image/gif;base64,)'), '<p><img src="data:image/gif;base64," alt="test"></p>\n');
assert.strictEqual(md.render('![test](data:image/png;base64,)'), '<p><img src="data:image/png;base64," alt="test"></p>\n');
assert.strictEqual(md.render('![test](data:image/jpeg;base64,)'), '<p><img src="data:image/jpeg;base64," alt="test"></p>\n');
assert.strictEqual(md.render('![test](data:image/svg+xml;base64,)'), '<p><img src="data:image/svg+xml;base64," alt="test"></p>\n');
assert.strictEqual(md.render('![test](data:image/webp;base64,)'), '<p><img src="data:image/webp;base64," alt="test"></p>\n');
});
it('default should allow tel: and map:', function () {
var md = markdownit();
assert.strictEqual(md.render('[Call me](tel:1234567)'), '<p><a href="tel:1234567">Call me</a></p>\n');
assert.strictEqual(md.render('[Track me](map:12.3,45.6)'), '<p><a href="map:12.3,45.6">Track me</a></p>\n');
});
it('default should skip blocklisted protocols', function () {
var md = markdownit();
assert.strictEqual(md.render('![test](data:image/x-something;base64,)'), '<p>![test](data:image/x-something;base64,)</p>\n');
assert.strictEqual(md.render('![test](data:text/javascript;base64,)'), '<p>![test](data:text/javascript;base64,)</p>\n');
assert.strictEqual(md.render('![test](vbscript:alert())'), '<p>![test](vbscript:alert())</p>\n');
assert.strictEqual(md.render('![test](javascript:alert())'), '<p>![test](javascript:alert())</p>\n');
assert.strictEqual(md.render('![test](file:/root.txt)'), '<p>![test](file:/root.txt)</p>\n');
});
});

Write Preview
Loading…
Cancel
Save