Browse Source

Markdown.pl: better sanitization of href and src attributes

Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
master
Kyle J. McKay 4 years ago
parent
commit
50422d1e28
  1. 7
      Markdown.pl

7
Markdown.pl

@ -3712,6 +3712,13 @@ sub _SanitizeAtt {
return "" if $_[3]->{$att}; # no repeats return "" if $_[3]->{$att}; # no repeats
$_[3]->{$att} = 1; $_[3]->{$att} = 1;
$impatt{$att} and return $att."=".'"'.$att.'"'; $impatt{$att} and return $att."=".'"'.$att.'"';
(($_[4] eq "a" && $att eq "href") ||
($_[4] eq "img" && $att eq "src")) &&
$_[1] =~ /^\s*[\047\042]\s*javascript:/io and do {
$_[1] = '"#"';
ref($opt{base_prefix}) eq 'CODE' and
$_[1] = '"' . escapeXML(&{$opt{base_prefix}}("#")) . '"';
};
if ($lcattval{$att}) { if ($lcattval{$att}) {
return $att."="._SanitizeAttValue(lc($_[1]))." "; return $att."="._SanitizeAttValue(lc($_[1]))." ";
} else { } else {

Loading…
Cancel
Save