Browse Source

Improved prohibited protocols check in links

pull/14/head
Vitaly Puzrin 10 years ago
parent
commit
d6b5c03d1f
  1. 14
      lib/parser_inline.js
  2. 6
      test/fixtures/remarkable/_pending.txt
  3. 31
      test/fixtures/remarkable/xss.txt
  4. 2
      test/remarkable.js
  5. 3
      test/utils.js

14
lib/parser_inline.js

@ -25,8 +25,20 @@ rules.push(require('./rules_inline/htmltag'));
rules.push(require('./rules_inline/entity')); rules.push(require('./rules_inline/entity'));
rules.push(require('./rules_inline/escape_html_char')); rules.push(require('./rules_inline/escape_html_char'));
var BAD_PROTOCOLS = [ 'vbscript', 'javascript' ];
function validateLink(url) { function validateLink(url) {
if (url.indexOf('javas' + 'cript:') === 0) { return false; } var str = '';
try {
str = decodeURI(url).trim().toLowerCase();
} catch (_) {}
if (!str) { return false; }
if (BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) {
return false;
}
return true; return true;
} }

6
test/fixtures/remarkable/_pending.txt

@ -0,0 +1,6 @@
.
![xss link](javascript:alert(1))
.
<p>![xss link](javascript:alert(1))</p>
.

31
test/fixtures/remarkable/xss.txt

@ -0,0 +1,31 @@
Should not allow some protocols in links and images
.
[xss link](javascript:alert(1))
.
<p>[xss link](javascript:alert(1))</p>
.
.
[xss link](JAVASCRIPT:alert(1))
.
<p>[xss link](JAVASCRIPT:alert(1))</p>
.
.
[xss link](vbscript:alert(1))
.
<p>[xss link](vbscript:alert(1))</p>
.
.
[xss link](VBSCRIPT:alert(1))
.
<p>[xss link](VBSCRIPT:alert(1))</p>
.
.
[xss link](&#34;&#62;&#60;script&#62;alert&#40;&#34;xss&#34;&#41;&#60;/script&#62;)
.
<p><a href="&amp;#34;&amp;#62;&amp;#60;script&amp;#62;alert&amp;#40;&amp;#34;xss&amp;#34;&amp;#41;&amp;#60;/script&amp;#62;">xss link</a></p>
.

2
test/remarkable.js

@ -9,7 +9,7 @@ var utils = require('./utils');
var Remarkable = require('../'); var Remarkable = require('../');
describe('Default', function () { describe('remarkable', function () {
var md = new Remarkable({ var md = new Remarkable({
html: true, html: true,
langPrefix: '', langPrefix: '',

3
test/utils.js

@ -65,7 +65,8 @@ function addSpecTests(fPath, markdown, skip) {
input.replace(/^\.\n([\s\S]*?)^\.\n([\s\S]*?)^\.$/gm, function(__, md, html, offset, orig) { input.replace(/^\.\n([\s\S]*?)^\.\n([\s\S]*?)^\.$/gm, function(__, md, html, offset, orig) {
var line = orig.slice(0, offset).split(/\r?\n/g).length; var line = orig.slice(0, offset).split(/\r?\n/g).length;
if (!skip) { // Also skip tests if file name starts with "_"
if (!skip && path.basename(fPath)[0] !== '_') {
it('line ' + line, function () { it('line ' + line, function () {
assert.strictEqual(html, markdown.render(md)); assert.strictEqual(html, markdown.render(md));
}); });

Loading…
Cancel
Save