mirror of
https://github.com/erusev/parsedown.git
synced 2023-08-10 21:13:06 +03:00
urlencode urls that are potentially unsafe:
this should break urls that attempt to include a protocol, or port (these are absolute URLs and should have a whitelisted protocol for use) but URLs that are relative, or relative from the site root should be preserved (though characters non essential for the URL structure may be urlencoded) this approach has significant advantages over attempting to locate something like `javascript:alert(1)` or `javascript:alert(1)` (which are both valid) because browsers have been known to ignore ridiculous characters when encountered (meaning something like `jav\ta\0\0script:alert(1)` would be xss :( ). Instead of trying to chase down a way to interpret a URL to decide whether there is a protocol, this approach ensures that two essential characters needed to achieve a colon are encoded `:` (obviously) and `;` (from `:`). If these characters appear in a relative URL then they are equivalent to their URL encoded form and so this change will be non breaking for that case.
This commit is contained in:
parent
4bae1c9834
commit
054ba3c487
@ -87,7 +87,6 @@ class Parsedown
|
|||||||
protected $safeLinksWhitelist = array(
|
protected $safeLinksWhitelist = array(
|
||||||
'http://',
|
'http://',
|
||||||
'https://',
|
'https://',
|
||||||
'/',
|
|
||||||
'ftp://',
|
'ftp://',
|
||||||
'ftps://',
|
'ftps://',
|
||||||
'mailto:',
|
'mailto:',
|
||||||
@ -1554,7 +1553,14 @@ class Parsedown
|
|||||||
|
|
||||||
if ( ! $safe)
|
if ( ! $safe)
|
||||||
{
|
{
|
||||||
unset($Element['attributes'][$attribute]);
|
$Element['attributes'][$attribute] = preg_replace_callback(
|
||||||
|
'/[^\/#?&=%]++/',
|
||||||
|
function (array $match)
|
||||||
|
{
|
||||||
|
return urlencode($match[0]);
|
||||||
|
},
|
||||||
|
$Element['attributes'][$attribute]
|
||||||
|
);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
<p><a href="http://example.com">link</a></p>
|
<p><a href="http://example.com">link</a></p>
|
||||||
<p><a href="/url-(parentheses)">link</a> with parentheses in URL </p>
|
<p><a href="/url-%28parentheses%29">link</a> with parentheses in URL </p>
|
||||||
<p>(<a href="/index.php">link</a>) in parentheses</p>
|
<p>(<a href="/index.php">link</a>) in parentheses</p>
|
||||||
<p><a href="http://example.com"><code>link</code></a></p>
|
<p><a href="http://example.com"><code>link</code></a></p>
|
||||||
<p><a href="http://example.com"><img src="http://parsedown.org/md.png" alt="MD Logo" /></a></p>
|
<p><a href="http://example.com"><img src="http://parsedown.org/md.png" alt="MD Logo" /></a></p>
|
||||||
|
@ -1,16 +1,16 @@
|
|||||||
<p><a>xss</a></p>
|
<p><a href="javascript%3Aalert%281%29">xss</a></p>
|
||||||
<p><a>xss</a></p>
|
<p><a href="javascript%3Aalert%281%29">xss</a></p>
|
||||||
<p><a>xss</a></p>
|
<p><a href="javascript%3A//alert%281%29">xss</a></p>
|
||||||
<p><a>xss</a></p>
|
<p><a href="javascript&colon%3Balert%281%29">xss</a></p>
|
||||||
<p><img alt="xss" /></p>
|
<p><img src="javascript%3Aalert%281%29" alt="xss" /></p>
|
||||||
<p><img alt="xss" /></p>
|
<p><img src="javascript%3Aalert%281%29" alt="xss" /></p>
|
||||||
<p><img alt="xss" /></p>
|
<p><img src="javascript%3A//alert%281%29" alt="xss" /></p>
|
||||||
<p><img alt="xss" /></p>
|
<p><img src="javascript&colon%3Balert%281%29" alt="xss" /></p>
|
||||||
<p><a>xss</a></p>
|
<p><a href="data%3Atext/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
|
||||||
<p><a>xss</a></p>
|
<p><a href="data%3Atext/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
|
||||||
<p><a>xss</a></p>
|
<p><a href="data%3A//text/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
|
||||||
<p><a>xss</a></p>
|
<p><a href="data&colon%3Btext/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
|
||||||
<p><img alt="xss" /></p>
|
<p><img src="data%3Atext/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>
|
||||||
<p><img alt="xss" /></p>
|
<p><img src="data%3Atext/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>
|
||||||
<p><img alt="xss" /></p>
|
<p><img src="data%3A//text/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>
|
||||||
<p><img alt="xss" /></p>
|
<p><img src="data&colon%3Btext/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>
|
Loading…
Reference in New Issue
Block a user