parsedown

mirror/parsedown

Fork 0

mirror of https://github.com/erusev/parsedown.git synced 2023-08-10 21:13:06 +03:00

Commit Graph

Author	SHA1	Message	Date
Aidan Woods	67c3efbea0	according to https://tools.ietf.org/html/rfc3986#section-3 the colon is a required part of the syntax, other methods of achieving the colon character (as to browser interpretation) should be taken care of by htmlencoding that is done on all attribute content	2017-05-10 16:57:18 +01:00
Aidan Woods	054ba3c487	urlencode urls that are potentially unsafe: this should break urls that attempt to include a protocol, or port (these are absolute URLs and should have a whitelisted protocol for use) but URLs that are relative, or relative from the site root should be preserved (though characters non essential for the URL structure may be urlencoded) this approach has significant advantages over attempting to locate something like `javascript:alert(1)` or `javascript&colon;alert(1)` (which are both valid) because browsers have been known to ignore ridiculous characters when encountered (meaning something like `jav\ta\0\0script&colon;alert(1)` would be xss :( ). Instead of trying to chase down a way to interpret a URL to decide whether there is a protocol, this approach ensures that two essential characters needed to achieve a colon are encoded `:` (obviously) and `;` (from `&colon;`). If these characters appear in a relative URL then they are equivalent to their URL encoded form and so this change will be non breaking for that case.	2017-05-03 17:01:27 +01:00
Aidan Woods	af04ac92e2	add xss tests	2017-05-01 03:33:49 +01:00

Author

SHA1

Message

Date

Aidan Woods

67c3efbea0

according to https://tools.ietf.org/html/rfc3986#section-3 the colon is a required part of the syntax, other methods of achieving the colon character (as to browser interpretation) should be taken care of by htmlencoding that is done on all attribute content

2017-05-10 16:57:18 +01:00

Aidan Woods

054ba3c487

urlencode urls that are potentially unsafe:

this should break urls that attempt to include a protocol, or port (these are absolute URLs and should have a whitelisted protocol for use)
but URLs that are relative, or relative from the site root should be preserved (though characters non essential for the URL structure may be urlencoded)

this approach has significant advantages over attempting to locate something like `javascript:alert(1)` or `javascript&colon;alert(1)` (which are both valid) because browsers have been known to ignore ridiculous characters when encountered (meaning something like `jav\ta\0\0script&colon;alert(1)` would be xss :( ). Instead of trying to chase down a way to interpret a URL to decide whether there is a protocol, this approach ensures that two essential characters needed to achieve a colon are encoded `:` (obviously) and `;` (from `&colon;`). If these characters appear in a relative URL then they are equivalent to their URL encoded form and so this change will be non breaking for that case.

2017-05-03 17:01:27 +01:00

Aidan Woods

af04ac92e2

add xss tests

2017-05-01 03:33:49 +01:00

3 Commits