Added data: and vbscript: link fix to prevent XSS vulnerability

ariabuckles · Mar 14, 2019 · 8ad751f · 8ad751f
1 parent 74c304d
commit 8ad751f
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 1 deletion.
diff --git a/__tests__/simple-markdown-test.js b/__tests__/simple-markdown-test.js
@@ -3341,6 +3341,34 @@ describe("simple markdown", function() {
                 html2,
                 "<div class=\"paragraph\"><a>link</a></div>"
             );
+
+            var html3 = htmlFromReactMarkdown(
+                "[link](data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGknKTwvc2NyaXB0Pg==)"
+            );
+            assert.strictEqual(html3, "<a>link</a>");
+
+            var html4 = htmlFromReactMarkdown(
+                "[link][1]\n\n" +
+                "[1]: data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGknKTwvc2NyaXB0Pg==\n\n"
+            );
+            assert.strictEqual(
+                html4,
+                "<div class=\"paragraph\"><a>link</a></div>"
+            );
+
+            var html5 = htmlFromReactMarkdown(
+                "[link](vbscript:alert)"
+            );
+            assert.strictEqual(html5, "<a>link</a>");
+
+            var html6 = htmlFromReactMarkdown(
+                "[link][1]\n\n" +
+                "[1]: vbscript:alert\n\n"
+            );
+            assert.strictEqual(
+                html6,
+                "<div class=\"paragraph\"><a>link</a></div>"
+            );
         });
 
         it("should not sanitize safe links", function() {
@@ -3711,6 +3739,32 @@ describe("simple markdown", function() {
                 markdown2,
                 "<div class=\"paragraph\"><a>link</a></div>"
             );
+
+            var markdown3 = "[link](data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGknKTwvc2NyaXB0Pg==)";
+            assertParsesToHtml(
+                markdown3,
+                "<a>link</a>"
+            );
+
+            var markdown4 = "[link][1]\n\n" +
+                "[1]: data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGknKTwvc2NyaXB0Pg==\n\n";
+            assertParsesToHtml(
+                markdown4,
+                "<div class=\"paragraph\"><a>link</a></div>"
+            );
+
+            var markdown5 = "[link](vbscript:alert)";
+            assertParsesToHtml(
+                markdown5,
+                "<a>link</a>"
+            );
+
+            var markdown6 = "[link][1]\n\n" +
+                "[1]: vbscript:alert\n\n";
+            assertParsesToHtml(
+                markdown6,
+                "<div class=\"paragraph\"><a>link</a></div>"
+            );
         });
 
         it("should not sanitize safe links", function() {

diff --git a/simple-markdown.js b/simple-markdown.js
@@ -561,7 +561,7 @@ var sanitizeUrl = function(url /* : ?string */) {
         var prot = decodeURIComponent(url)
             .replace(/[^A-Za-z0-9/:]/g, '')
             .toLowerCase();
-        if (prot.indexOf('javascript:') === 0) {
+        if (prot.indexOf('javascript:') === 0 || prot.indexOf('vbscript:') === 0 || prot.indexOf('data:') === 0) {
             return null;
         }
     } catch (e) {