ensure javascript: protocols are not encoded in entities and references.

markedjs · Jan 10, 2014 · 613bf6a · 613bf6a
1 parent cd507dd
commit 613bf6a
Showing 1 changed file with 16 additions and 1 deletion.
diff --git a/lib/marked.js b/lib/marked.js
@@ -848,7 +848,9 @@ Renderer.prototype.del = function(text) {
 Renderer.prototype.link = function(href, title, text) {
   if (this.options.sanitize) {
     try {
-      var prot = decodeURIComponent(href).replace(/[^\w:]/g, '').toLowerCase();
+      var prot = decodeURIComponent(unescape(href))
+        .replace(/[^\w:]/g, '')
+        .toLowerCase();
     } catch (e) {
       return '';
     }
@@ -1066,6 +1068,19 @@ function escape(html, encode) {
     .replace(/'/g, '&#39;');
 }
 
+function unescape(html) {
+  return html.replace(/&([#\w]+);/g, function(_, n) {
+    n = n.toLowerCase();
+    if (n === 'colon') return ':';
+    if (n.charAt(0) === '#') {
+      return n.charAt(1) === 'x'
+        ? String.fromCharCode(parseInt(n.substring(2), 16))
+        : String.fromCharCode(+n.substring(1));
+    }
+    return '';
+  });
+}
+
 function replace(regex, opt) {
   regex = regex.source;
   opt = opt || '';