From d6b5c03d1fd5f4b0b728af4508c0c808f5e1c92f Mon Sep 17 00:00:00 2001 From: Vitaly Puzrin Date: Thu, 23 Oct 2014 14:52:04 +0400 Subject: [PATCH] Improved prohibited protocols check in links --- lib/parser_inline.js | 14 +++++++++++- test/fixtures/remarkable/_pending.txt | 6 ++++++ test/fixtures/remarkable/xss.txt | 31 +++++++++++++++++++++++++++ test/remarkable.js | 2 +- test/utils.js | 3 ++- 5 files changed, 53 insertions(+), 3 deletions(-) create mode 100644 test/fixtures/remarkable/_pending.txt create mode 100644 test/fixtures/remarkable/xss.txt diff --git a/lib/parser_inline.js b/lib/parser_inline.js index cd30260..52ab114 100644 --- a/lib/parser_inline.js +++ b/lib/parser_inline.js @@ -25,8 +25,20 @@ rules.push(require('./rules_inline/htmltag')); rules.push(require('./rules_inline/entity')); rules.push(require('./rules_inline/escape_html_char')); +var BAD_PROTOCOLS = [ 'vbscript', 'javascript' ]; + function validateLink(url) { - if (url.indexOf('javas' + 'cript:') === 0) { return false; } + var str = ''; + + try { + str = decodeURI(url).trim().toLowerCase(); + } catch (_) {} + + if (!str) { return false; } + + if (BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) { + return false; + } return true; } diff --git a/test/fixtures/remarkable/_pending.txt b/test/fixtures/remarkable/_pending.txt new file mode 100644 index 0000000..655ef80 --- /dev/null +++ b/test/fixtures/remarkable/_pending.txt @@ -0,0 +1,6 @@ +. +![xss link](javascript:alert(1)) +. +

![xss link](javascript:alert(1))

+. + diff --git a/test/fixtures/remarkable/xss.txt b/test/fixtures/remarkable/xss.txt new file mode 100644 index 0000000..f37252d --- /dev/null +++ b/test/fixtures/remarkable/xss.txt @@ -0,0 +1,31 @@ +Should not allow some protocols in links and images + +. +[xss link](javascript:alert(1)) +. +

[xss link](javascript:alert(1))

+. + +. +[xss link](JAVASCRIPT:alert(1)) +. +

[xss link](JAVASCRIPT:alert(1))

+. + +. +[xss link](vbscript:alert(1)) +. +

[xss link](vbscript:alert(1))

+. + +. +[xss link](VBSCRIPT:alert(1)) +. +

[xss link](VBSCRIPT:alert(1))

+. + +. +[xss link]("><script>alert("xss")</script>) +. +

xss link

+. diff --git a/test/remarkable.js b/test/remarkable.js index f868d2b..f797895 100644 --- a/test/remarkable.js +++ b/test/remarkable.js @@ -9,7 +9,7 @@ var utils = require('./utils'); var Remarkable = require('../'); -describe('Default', function () { +describe('remarkable', function () { var md = new Remarkable({ html: true, langPrefix: '', diff --git a/test/utils.js b/test/utils.js index 79af6a8..69a7df5 100644 --- a/test/utils.js +++ b/test/utils.js @@ -65,7 +65,8 @@ function addSpecTests(fPath, markdown, skip) { input.replace(/^\.\n([\s\S]*?)^\.\n([\s\S]*?)^\.$/gm, function(__, md, html, offset, orig) { var line = orig.slice(0, offset).split(/\r?\n/g).length; - if (!skip) { + // Also skip tests if file name starts with "_" + if (!skip && path.basename(fPath)[0] !== '_') { it('line ' + line, function () { assert.strictEqual(html, markdown.render(md)); });