|
@ -20,20 +20,41 @@ var config = { |
|
|
commonmark: require('./presets/commonmark') |
|
|
commonmark: require('./presets/commonmark') |
|
|
}; |
|
|
}; |
|
|
|
|
|
|
|
|
|
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
|
var BAD_PROTOCOLS = [ 'vbscript', 'javascript', 'file' ]; |
|
|
//
|
|
|
|
|
|
// This validator does not pretent to functionality of full weight sanitizers.
|
|
|
|
|
|
// It's a tradeoff between default security, simplicity and usability.
|
|
|
|
|
|
// If you need different setup - override validator method as you wish. Or
|
|
|
|
|
|
// replace it with dummy function and use external sanitizer.
|
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
|
|
var BAD_PROTOCOLS = [ 'vbscript', 'javascript', 'file', 'data' ]; |
|
|
|
|
|
var ALLOWED_DATA_MIMES = [ |
|
|
|
|
|
'data:image/gif', |
|
|
|
|
|
'data:image/png', |
|
|
|
|
|
'data:image/jpeg', |
|
|
|
|
|
'data:image/webp' |
|
|
|
|
|
]; |
|
|
|
|
|
|
|
|
function validateLink(url) { |
|
|
function validateLink(url) { |
|
|
// url should be normalized at this point, and existing entities are decoded
|
|
|
// url should be normalized at this point, and existing entities are decoded
|
|
|
//
|
|
|
|
|
|
var str = url.trim().toLowerCase(); |
|
|
|
|
|
|
|
|
|
|
|
if (str.indexOf(':') >= 0 && BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) { |
|
|
var str = url.trim().toLowerCase(), |
|
|
|
|
|
protocol = str.split(':')[0]; |
|
|
|
|
|
|
|
|
|
|
|
if (str.indexOf(':') >= 0 && BAD_PROTOCOLS.indexOf(protocol) >= 0) { |
|
|
|
|
|
if (protocol === 'data' && ALLOWED_DATA_MIMES.indexOf(str.split(';')[0]) >= 0) { |
|
|
|
|
|
return true; |
|
|
|
|
|
} |
|
|
return false; |
|
|
return false; |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
return true; |
|
|
return true; |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
var RECODE_HOSTNAME_FOR = [ 'http:', 'https:', 'mailto:' ]; |
|
|
var RECODE_HOSTNAME_FOR = [ 'http:', 'https:', 'mailto:' ]; |
|
|
|
|
|
|
|
|
function normalizeLink(url) { |
|
|
function normalizeLink(url) { |
|
|