1
0
mirror of https://github.com/erusev/parsedown.git synced 2023-08-10 21:13:06 +03:00
Commit Graph

7 Commits

Author SHA1 Message Date
Aidan Woods
b1e5aebaf6
add single safeMode option that encompasses protection from link destination xss and plain markup based xss into a single on/off switch 2017-05-09 19:22:58 +01:00
Aidan Woods
054ba3c487
urlencode urls that are potentially unsafe:
this should break urls that attempt to include a protocol, or port (these are absolute URLs and should have a whitelisted protocol for use)
but URLs that are relative, or relative from the site root should be preserved (though characters non essential for the URL structure may be urlencoded)

this approach has significant advantages over attempting to locate something like `javascript:alert(1)` or `javascript:alert(1)` (which are both valid) because browsers have been known to ignore ridiculous characters when encountered (meaning something like `jav\ta\0\0script:alert(1)` would be xss :( ). Instead of trying to chase down a way to interpret a URL to decide whether there is a protocol, this approach ensures that two essential characters needed to achieve a colon are encoded `:` (obviously) and `;` (from `:`). If these characters appear in a relative URL then they are equivalent to their URL encoded form and so this change will be non breaking for that case.
2017-05-03 17:01:27 +01:00
gene_sis
48351504de adjust two regex pattern within inlineLink() to reduce backtracking
add test with base64 image
2017-01-07 00:45:38 +01:00
Emanuil Rusev
4d3079b908 resolve #274 2015-01-24 14:03:05 +02:00
Emanuil Rusev
9ed72ccd09 resolve #126 2015-01-15 02:24:39 +02:00
Emanuil Rusev
7ab3c60a77 improve CommonMark compliance 2014-12-02 22:23:43 +02:00
Emanuil Rusev
37416b5f07 simplify folder name 2014-04-28 21:53:34 +03:00