1
0
mirror of https://github.com/erusev/parsedown.git synced 2023-08-10 21:13:06 +03:00
Commit Graph

35 Commits

Author SHA1 Message Date
Aidan Woods
67c3efbea0
according to https://tools.ietf.org/html/rfc3986#section-3 the colon is a required part of the syntax, other methods of achieving the colon character (as to browser interpretation) should be taken care of by htmlencoding that is done on all attribute content 2017-05-10 16:57:18 +01:00
Aidan Woods
b1e5aebaf6
add single safeMode option that encompasses protection from link destination xss and plain markup based xss into a single on/off switch 2017-05-09 19:22:58 +01:00
Aidan Woods
054ba3c487
urlencode urls that are potentially unsafe:
this should break urls that attempt to include a protocol, or port (these are absolute URLs and should have a whitelisted protocol for use)
but URLs that are relative, or relative from the site root should be preserved (though characters non essential for the URL structure may be urlencoded)

this approach has significant advantages over attempting to locate something like `javascript:alert(1)` or `javascript:alert(1)` (which are both valid) because browsers have been known to ignore ridiculous characters when encountered (meaning something like `jav\ta\0\0script:alert(1)` would be xss :( ). Instead of trying to chase down a way to interpret a URL to decide whether there is a protocol, this approach ensures that two essential characters needed to achieve a colon are encoded `:` (obviously) and `;` (from `:`). If these characters appear in a relative URL then they are equivalent to their URL encoded form and so this change will be non breaking for that case.
2017-05-03 17:01:27 +01:00
Aidan Woods
af04ac92e2
add xss tests 2017-05-01 03:33:49 +01:00
gene_sis
48351504de adjust two regex pattern within inlineLink() to reduce backtracking
add test with base64 image
2017-01-07 00:45:38 +01:00
Aidan Woods
932bafe0f0 update test for new feature 2016-10-04 17:43:37 +01:00
Aidan Woods
ac857809ab update test for new feature 2016-10-04 17:41:57 +01:00
Aidan Woods
c145a75848 update test for new feature 2016-10-04 15:44:50 +01:00
Jeff Standen
b828fe7c8d Fixes #283 2015-02-03 13:58:47 -08:00
Emanuil Rusev
ffd9d3b407 improve tests 2015-01-24 14:37:40 +02:00
Emanuil Rusev
e94ecf4adc resolve #277 2015-01-24 14:21:55 +02:00
Emanuil Rusev
4d3079b908 resolve #274 2015-01-24 14:03:05 +02:00
Emanuil Rusev
b4a8eb3315 resolve #156 2015-01-16 00:04:18 +02:00
Emanuil Rusev
a06cdfb814 improve fix for #184 2015-01-15 21:32:18 +02:00
Emanuil Rusev
6bee326c92 resolve #184 2015-01-15 21:10:09 +02:00
Emanuil Rusev
9ed72ccd09 resolve #126 2015-01-15 02:24:39 +02:00
Emanuil Rusev
859b1b10c1 update tests 2015-01-12 02:57:20 +02:00
Emanuil Rusev
06135cd75a improve CommonMark compliance 2015-01-10 02:45:51 +02:00
Emanuil Rusev
38cc1ca7e0 resolve #251 2014-12-16 13:58:33 +02:00
Emanuil Rusev
ac68800717 improve extensibility 2014-12-15 01:07:29 +02:00
Emanuil Rusev
7ab3c60a77 improve CommonMark compliance 2014-12-02 22:23:43 +02:00
Emanuil Rusev
5bc6d90f8b resolve #248 2014-11-28 14:03:12 +02:00
Emanuil Rusev
9816507a75 markup should preserve empty lines 2014-11-19 20:18:56 +02:00
Emanuil Rusev
f91e4dece3 improve consistency 2014-09-26 13:06:40 +03:00
Jannik Zschiesche
512cc1f065 Limit generated headlines to h6 2014-08-25 21:06:03 +02:00
Haralan Dobrev
1127681d56 Allow slashes in HTML attributes 2014-08-13 23:54:52 +03:00
Emanuil Rusev
d24439ada0 improve test suite 2014-05-21 23:20:46 +03:00
Emanuil Rusev
2da10d277b resolve #105 2014-05-14 13:14:49 +03:00
Emanuil Rusev
532b5ede35 resolve #129 2014-05-14 01:11:05 +03:00
Emanuil Rusev
4dde57451d fix consecutive reference links 2014-05-06 17:05:49 +03:00
Emanuil Rusev
cc94c1b584 resolve #167 2014-05-02 18:21:10 +03:00
Emanuil Rusev
521803cdcd resolve #136 2014-05-01 02:42:01 +03:00
Emanuil Rusev
e373391e7d resolve #164 2014-05-01 00:29:21 +03:00
Emanuil Rusev
9fa415bcc5 resolve #160 2014-04-28 21:54:38 +03:00
Emanuil Rusev
37416b5f07 simplify folder name 2014-04-28 21:53:34 +03:00