Skip to content

Commit

Permalink
fix: disallow ascii control characters in URLs (#334)
Browse files Browse the repository at this point in the history 
Closes #332

The code here is very similar to other markdown libraries, so I pretty much did what they do:

- https://github.com/npm/marky-markdown/blob/008509231558765695938020a376b5b2e4fd4fcc/lib/gfm/override-link-destination-parser.js#L67
- https://github.com/markdown-it/markdown-it/blob/ba6830ba13fb92953a91fb90318964ccd15b82c4/lib/helpers/parse_link_destination.js#L53
  • Loading branch information
@dominykas @TrySound
dominykas authored and TrySound committed Jul 29, 2019
1 parent 232a554 commit 49e87b7
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 1 deletion.
3 changes: 2 additions & 1 deletion lib/helpers/parse_link_destination.js
View file
Expand Up @@ -52,7 +52,8 @@ module.exports = function parseLinkDestination(state, pos) {

if (code === 0x20) { break; }

if (code > 0x08 && code < 0x0e) { break; }
// ascii control chars
if (code < 0x20 || code === 0x7F) { break; }

if (code === 0x5C /* \ */ && pos + 1 < max) {
pos += 2;
Expand Down
7 changes: 7 additions & 0 deletions test/fixtures/remarkable/xss.txt
View file
Expand Up @@ -77,3 +77,10 @@ javascript:alert(1)
<p>javascript:alert(1)</p>
<p>javascript:alert(1)</p>
.


.
[ASCII control characters XSS](javascript:alert(1))
.
<p>[ASCII control characters XSS](javascript:alert(1))</p>
.

0 comments on commit 49e87b7

Please sign in to comment.