Skip to content
Permalink
Browse files Browse the repository at this point in the history
Disabled data URIs (allow only some whitelisted images)
  • Loading branch information
Vitaly Puzrin committed Mar 30, 2015
1 parent f7976b2 commit f76d3be
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 5 deletions.
31 changes: 26 additions & 5 deletions lib/index.js
Expand Up @@ -20,20 +20,41 @@ var config = {
commonmark: require('./presets/commonmark')
};


var BAD_PROTOCOLS = [ 'vbscript', 'javascript', 'file' ];
////////////////////////////////////////////////////////////////////////////////
//
// This validator does not pretent to functionality of full weight sanitizers.
// It's a tradeoff between default security, simplicity and usability.
// If you need different setup - override validator method as you wish. Or
// replace it with dummy function and use external sanitizer.
//

var BAD_PROTOCOLS = [ 'vbscript', 'javascript', 'file', 'data' ];
var ALLOWED_DATA_MIMES = [
'data:image/gif',
'data:image/png',
'data:image/jpeg',
'data:image/webp'
];

function validateLink(url) {
// url should be normalized at this point, and existing entities are decoded
//
var str = url.trim().toLowerCase();

if (str.indexOf(':') >= 0 && BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) {
var str = url.trim().toLowerCase(),
protocol = str.split(':')[0];

if (str.indexOf(':') >= 0 && BAD_PROTOCOLS.indexOf(protocol) >= 0) {
if (protocol === 'data' && ALLOWED_DATA_MIMES.indexOf(str.split(';')[0]) >= 0) {
return true;
}
return false;
}

return true;
}

////////////////////////////////////////////////////////////////////////////////


var RECODE_HOSTNAME_FOR = [ 'http:', 'https:', 'mailto:' ];

function normalizeLink(url) {
Expand Down
15 changes: 15 additions & 0 deletions test/fixtures/markdown-it/xss.txt
Expand Up @@ -53,6 +53,21 @@ Should not allow some protocols in links and images
.


Should not allow data-uri except some whitelisted mimes
.
![](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
.
<p><img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" alt=""></p>
.

.
[xss link](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
.
<p>[xss link](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)</p>
.



Image parser use the same code base.
.
![xss link](javascript:alert(1))
Expand Down

0 comments on commit f76d3be

Please sign in to comment.