mirror of
https://github.com/erusev/parsedown.git
synced 2023-08-10 21:13:06 +03:00
054ba3c487
this should break urls that attempt to include a protocol, or port (these are absolute URLs and should have a whitelisted protocol for use) but URLs that are relative, or relative from the site root should be preserved (though characters non essential for the URL structure may be urlencoded) this approach has significant advantages over attempting to locate something like `javascript:alert(1)` or `javascript:alert(1)` (which are both valid) because browsers have been known to ignore ridiculous characters when encountered (meaning something like `jav\ta\0\0script:alert(1)` would be xss :( ). Instead of trying to chase down a way to interpret a URL to decide whether there is a protocol, this approach ensures that two essential characters needed to achieve a colon are encoded `:` (obviously) and `;` (from `:`). If these characters appear in a relative URL then they are equivalent to their URL encoded form and so this change will be non breaking for that case.
16 lines
1.2 KiB
HTML
16 lines
1.2 KiB
HTML
<p><a href="javascript%3Aalert%281%29">xss</a></p>
|
|
<p><a href="javascript%3Aalert%281%29">xss</a></p>
|
|
<p><a href="javascript%3A//alert%281%29">xss</a></p>
|
|
<p><a href="javascript&colon%3Balert%281%29">xss</a></p>
|
|
<p><img src="javascript%3Aalert%281%29" alt="xss" /></p>
|
|
<p><img src="javascript%3Aalert%281%29" alt="xss" /></p>
|
|
<p><img src="javascript%3A//alert%281%29" alt="xss" /></p>
|
|
<p><img src="javascript&colon%3Balert%281%29" alt="xss" /></p>
|
|
<p><a href="data%3Atext/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
|
|
<p><a href="data%3Atext/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
|
|
<p><a href="data%3A//text/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
|
|
<p><a href="data&colon%3Btext/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
|
|
<p><img src="data%3Atext/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>
|
|
<p><img src="data%3Atext/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>
|
|
<p><img src="data%3A//text/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>
|
|
<p><img src="data&colon%3Btext/html%3Bbase64%2CPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p> |