Public-Mirrors
/
markdown-it
mirror of https://github.com/markdown-it/markdown-it.git
1
0
Fork 0
Code Issues Releases Activity
Browse Source

Improved prohibited protocols check in links

pull/14/head
Vitaly Puzrin 10 years ago
parent
6dc8e832a7
commit
d6b5c03d1f
5 changed files with 53 additions and 3 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 14
      lib/parser_inline.js
  2. 6
      test/fixtures/remarkable/_pending.txt
  3. 31
      test/fixtures/remarkable/xss.txt
  4. 2
      test/remarkable.js
  5. 3
      test/utils.js

14
lib/parser_inline.js
View File

@ -25,8 +25,20 @@ rules.push(require('./rules_inline/htmltag'));
rules.push(require('./rules_inline/entity'));
rules.push(require('./rules_inline/escape_html_char'));
var BAD_PROTOCOLS = [ 'vbscript', 'javascript' ];
function validateLink(url) {
if (url.indexOf('javas' + 'cript:') === 0) { return false; }
var str = '';
try {
str = decodeURI(url).trim().toLowerCase();
} catch (_) {}
if (!str) { return false; }
if (BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) {
return false;
}
return true;
}

6
test/fixtures/remarkable/_pending.txt
View File

@ -0,0 +1,6 @@
.
![xss link](javascript:alert(1))
.
<p>![xss link](javascript:alert(1))</p>
.

31
test/fixtures/remarkable/xss.txt
View File

@ -0,0 +1,31 @@
Should not allow some protocols in links and images
.
[xss link](javascript:alert(1))
.
<p>[xss link](javascript:alert(1))</p>
.
.
[xss link](JAVASCRIPT:alert(1))
.
<p>[xss link](JAVASCRIPT:alert(1))</p>
.
.
[xss link](vbscript:alert(1))
.
<p>[xss link](vbscript:alert(1))</p>
.
.
[xss link](VBSCRIPT:alert(1))
.
<p>[xss link](VBSCRIPT:alert(1))</p>
.
.
[xss link](&#34;&#62;&#60;script&#62;alert&#40;&#34;xss&#34;&#41;&#60;/script&#62;)
.
<p><a href="&amp;#34;&amp;#62;&amp;#60;script&amp;#62;alert&amp;#40;&amp;#34;xss&amp;#34;&amp;#41;&amp;#60;/script&amp;#62;">xss link</a></p>
.

2
test/remarkable.js
View File

@ -9,7 +9,7 @@ var utils = require('./utils');
var Remarkable = require('../');
describe('Default', function () {
describe('remarkable', function () {
var md = new Remarkable({
html: true,
langPrefix: '',

3
test/utils.js
View File

@ -65,7 +65,8 @@ function addSpecTests(fPath, markdown, skip) {
input.replace(/^\.\n([\s\S]*?)^\.\n([\s\S]*?)^\.$/gm, function(__, md, html, offset, orig) {
var line = orig.slice(0, offset).split(/\r?\n/g).length;
if (!skip) {
// Also skip tests if file name starts with "_"
if (!skip && path.basename(fPath)[0] !== '_') {
it('line ' + line, function () {
assert.strictEqual(html, markdown.render(md));
});

Write Preview
Loading…
Cancel
Save