Browse Source

Disabled data URIs (allow only some whitelisted images)

pull/82/head
Vitaly Puzrin 10 years ago
parent
commit
f76d3beb46
  1. 29
      lib/index.js
  2. 15
      test/fixtures/markdown-it/xss.txt

29
lib/index.js

@ -20,20 +20,41 @@ var config = {
commonmark: require('./presets/commonmark')
};
////////////////////////////////////////////////////////////////////////////////
//
// This validator does not pretent to functionality of full weight sanitizers.
// It's a tradeoff between default security, simplicity and usability.
// If you need different setup - override validator method as you wish. Or
// replace it with dummy function and use external sanitizer.
//
var BAD_PROTOCOLS = [ 'vbscript', 'javascript', 'file' ];
var BAD_PROTOCOLS = [ 'vbscript', 'javascript', 'file', 'data' ];
var ALLOWED_DATA_MIMES = [
'data:image/gif',
'data:image/png',
'data:image/jpeg',
'data:image/webp'
];
function validateLink(url) {
// url should be normalized at this point, and existing entities are decoded
//
var str = url.trim().toLowerCase();
if (str.indexOf(':') >= 0 && BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) {
var str = url.trim().toLowerCase(),
protocol = str.split(':')[0];
if (str.indexOf(':') >= 0 && BAD_PROTOCOLS.indexOf(protocol) >= 0) {
if (protocol === 'data' && ALLOWED_DATA_MIMES.indexOf(str.split(';')[0]) >= 0) {
return true;
}
return false;
}
return true;
}
////////////////////////////////////////////////////////////////////////////////
var RECODE_HOSTNAME_FOR = [ 'http:', 'https:', 'mailto:' ];
function normalizeLink(url) {

15
test/fixtures/markdown-it/xss.txt

@ -53,6 +53,21 @@ Should not allow some protocols in links and images
.
Should not allow data-uri except some whitelisted mimes
.
![](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
.
<p><img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" alt=""></p>
.
.
[xss link](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
.
<p>[xss link](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)</p>
.
Image parser use the same code base.
.
![xss link](javascript:alert(1))

Loading…
Cancel
Save