Fix injection vulnerabilities

* fix: fixing injection vulnerabilities in render

* fix: removed style attribute support on img elements

* fix: added validation of iframe url hostnames

* fix: fixed fixture to use urls that are parseable by url.parse

* fix: removed brittle regex and added literal string matching for hostnames

* fix: removed node 6 support

* fix: added fixture for style attribute removal

* fix: added test for style attribute removal from img elements

.travis.yml

@@ -4,7 +4,6 @@ notifications:
   email: false
 
 node_js:
-  - 6
   - 8
 
 before_install:

lib/sanitize.js

@@ -1,4 +1,6 @@
 var sanitizeHtml = require('sanitize-html')
+const url = require('url')
+
 module.exports = function (html, options) {
   var config
   if (options && options.prefixHeadingIds) {
@@ -68,7 +70,7 @@ function getSanitizerConfig (options) {
       h5: ['id', 'align'],
       h6: ['id', 'align'],
       a: ['href', 'id', 'name', 'target', 'title', 'aria-hidden', 'rel'],
-      img: ['alt', 'id', 'src', 'width', 'height', 'align', 'valign', 'title', 'style'],
+      img: ['alt', 'id', 'src', 'width', 'height', 'align', 'valign', 'title'],
       p: ['align'],
       meta: ['name', 'content'],
       iframe: ['src', 'frameborder', 'allowfullscreen'],
@@ -94,7 +96,9 @@ function getSanitizerConfig (options) {
 
       // Allow YouTube iframes
       if (frame.tag !== 'iframe') return false
-      return !String(frame.attribs.src).match(/^(https?:)?\/\/(www\.)?youtube\.com/)
+
+      const parsed = url.parse(frame.attribs.src || '')
+      return !['www.youtube.com', 'youtube.com', 'youtu.be'].includes(parsed.hostname)
     },
     transformTags: {
       'td': sanitizeCellStyle,

marky.json

@@ -1 +1 @@
-{"version":"12.0.0","repositoryUrl":"https://github.com/npm/marky-markdown","issuesUrl":"https://github.com/npm/marky-markdown/issues"}
+{"version":"12.0.3","repositoryUrl":"https://github.com/npm/marky-markdown","issuesUrl":"https://github.com/npm/marky-markdown/issues"}