1
0
mirror of https://github.com/erusev/parsedown.git synced 2023-08-10 21:13:06 +03:00

urlencode urls that are potentially unsafe:

this should break urls that attempt to include a protocol, or port (these are absolute URLs and should have a whitelisted protocol for use)
but URLs that are relative, or relative from the site root should be preserved (though characters non essential for the URL structure may be urlencoded)

this approach has significant advantages over attempting to locate something like `javascript:alert(1)` or `javascript:alert(1)` (which are both valid) because browsers have been known to ignore ridiculous characters when encountered (meaning something like `jav\ta\0\0script:alert(1)` would be xss :( ). Instead of trying to chase down a way to interpret a URL to decide whether there is a protocol, this approach ensures that two essential characters needed to achieve a colon are encoded `:` (obviously) and `;` (from `:`). If these characters appear in a relative URL then they are equivalent to their URL encoded form and so this change will be non breaking for that case.
This commit is contained in:
Aidan Woods 2017-05-03 17:01:27 +01:00
parent 4bae1c9834
commit 054ba3c487
No known key found for this signature in database
GPG Key ID: 9A6A8EFAA512BBB9
3 changed files with 25 additions and 19 deletions

View File

@ -87,7 +87,6 @@ class Parsedown
protected $safeLinksWhitelist = array( protected $safeLinksWhitelist = array(
'http://', 'http://',
'https://', 'https://',
'/',
'ftp://', 'ftp://',
'ftps://', 'ftps://',
'mailto:', 'mailto:',
@ -1554,7 +1553,14 @@ class Parsedown
if ( ! $safe) if ( ! $safe)
{ {
unset($Element['attributes'][$attribute]); $Element['attributes'][$attribute] = preg_replace_callback(
'/[^\/#?&=%]++/',
function (array $match)
{
return urlencode($match[0]);
},
$Element['attributes'][$attribute]
);
} }
} }

View File

@ -1,5 +1,5 @@
<p><a href="http://example.com">link</a></p> <p><a href="http://example.com">link</a></p>
<p><a href="/url-(parentheses)">link</a> with parentheses in URL </p> <p><a href="/url-%28parentheses%29">link</a> with parentheses in URL </p>
<p>(<a href="/index.php">link</a>) in parentheses</p> <p>(<a href="/index.php">link</a>) in parentheses</p>
<p><a href="http://example.com"><code>link</code></a></p> <p><a href="http://example.com"><code>link</code></a></p>
<p><a href="http://example.com"><img src="http://parsedown.org/md.png" alt="MD Logo" /></a></p> <p><a href="http://example.com"><img src="http://parsedown.org/md.png" alt="MD Logo" /></a></p>

View File

@ -1,16 +1,16 @@
<p><a>xss</a></p> <p><a href="javascript%3Aalert%281%29">xss</a></p>
<p><a>xss</a></p> <p><a href="javascript%3Aalert%281%29">xss</a></p>
<p><a>xss</a></p> <p><a href="javascript%3A//alert%281%29">xss</a></p>
<p><a>xss</a></p> <p><a href="javascript&amp;colon%3Balert%281%29">xss</a></p>
<p><img alt="xss" /></p> <p><img src="javascript%3Aalert%281%29" alt="xss" /></p>
<p><img alt="xss" /></p> <p><img src="javascript%3Aalert%281%29" alt="xss" /></p>
<p><img alt="xss" /></p> <p><img src="javascript%3A//alert%281%29" alt="xss" /></p>
<p><img alt="xss" /></p> <p><img src="javascript&amp;colon%3Balert%281%29" alt="xss" /></p>
<p><a>xss</a></p> <p><a href="data%3Atext/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
<p><a>xss</a></p> <p><a href="data%3Atext/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
<p><a>xss</a></p> <p><a href="data%3A//text/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
<p><a>xss</a></p> <p><a href="data&amp;colon%3Btext/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
<p><img alt="xss" /></p> <p><img src="data%3Atext/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>
<p><img alt="xss" /></p> <p><img src="data%3Atext/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>
<p><img alt="xss" /></p> <p><img src="data%3A//text/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>
<p><img alt="xss" /></p> <p><img src="data&amp;colon%3Btext/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>