Public-Mirrors
/
markdown-it
mirror of https://github.com/markdown-it/markdown-it.git
1
0
Fork 0
Code Issues Releases Activity
Markdown parser, done right. 100% CommonMark support, extensions, syntax plugins & high speed https://markdown-it.github.io/
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
370 Commits
2 Branches
79 Tags
11 MiB
 
 
 
Tree: 9afffbaefd
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9afffbaefd'
${ noResults }
markdown-it/test/fixtures/markdown-it/xss.txt

79 lines
1.2 KiB
Raw Blame History

.
[normal link](javascript)
.
<p><a href="javascript">normal link</a></p>
.
Should not allow some protocols in links and images
.
[xss link](javascript:alert(1))
[xss link](JAVASCRIPT:alert(1))
[xss link](vbscript:alert(1))
[xss link](VBSCRIPT:alert(1))
[xss link](file:///123)
.
<p>[xss link](javascript:alert(1))</p>
<p>[xss link](JAVASCRIPT:alert(1))</p>
<p>[xss link](vbscript:alert(1))</p>
<p>[xss link](VBSCRIPT:alert(1))</p>
<p>[xss link](file:///123)</p>
.
.
[xss link](&#34;&#62;&#60;script&#62;alert&#40;&#34;xss&#34;&#41;&#60;/script&#62;)
.
<p><a href="%22%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E">xss link</a></p>
.
.
[xss link](<javascript:alert(1)>)
.
<p>[xss link](&lt;javascript:alert(1)&gt;)</p>
.
.
[xss link](javascript&#x3A;alert(1))
.
<p>[xss link](javascript:alert(1))</p>
.
Image parser use the same code base.
.
![xss link](javascript:alert(1))
.
<p>![xss link](javascript:alert(1))</p>
.
Autolinks
.
<javascript&#x3A;alert(1)>
<javascript:alert(1)>
.
<p>&lt;javascript:alert(1)&gt;</p>
<p>&lt;javascript:alert(1)&gt;</p>
.
Linkifier
.
javascript&#x3A;alert(1)
javascript:alert(1)
.
<p>javascript:alert(1)</p>
<p>javascript:alert(1)</p>
.