Allow image data URI schemes

samclarke · Nov 14, 2016 · c7ba24e · c7ba24e
1 parent 22fc15e
commit c7ba24e
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 3 deletions.
diff --git a/src/lib/escape.js b/src/lib/escape.js
@@ -1,8 +1,17 @@
 define(function (require, exports) {
 	'use strict';
 
+	/* jshint maxlen: false */
+	// Must start with a valid scheme
+	// 		^
+	// Schemes that are considered safe
+	// 		(https?|s?ftp|mailto|spotify|skype|ssh|teamspeak|tel):|
+	// Relative schemes (//:) are considered safe
+	// 		(\\/\\/)|
+	// Image data URI's are considered safe
+	// 		data:image\\/(png|bmp|gif|p?jpe?g);
 	var VALID_SCHEME_REGEX =
-		/^(?:https?|s?ftp|mailto|spotify|skype|ssh|teamspeak|tel):|(?:\/\/)/i;
+		/^(https?|s?ftp|mailto|spotify|skype|ssh|teamspeak|tel):|(\/\/)|data:image\/(png|bmp|gif|p?jpe?g);/i;
 
 	/**
 	 * Escapes a string so it's safe to use in regex
@@ -72,6 +81,7 @@ define(function (require, exports) {
 	 * teamspeak
 	 * tel
 	 * //
+	 * data:image/(png|jpeg|jpg|pjpeg|bmp|gif);
 	 *
 	 * **IMPORTANT**: This does not escape any HTML in a url, for
 	 * that use the escape.entities() method.

diff --git a/tests/unit/lib/escape.js b/tests/unit/lib/escape.js
@@ -77,7 +77,11 @@ define([
 			'ssh:user@host.com:22',
 			'teamspeak:12345',
 			'tel:12345',
-			'//www.example.com/test?id=123'
+			'//www.example.com/test?id=123',
+			'data:image/png;test',
+			'data:image/gif;test',
+			'data:image/jpg;test',
+			'data:image/bmp;test'
 		];
 
 		expect(urls.length);
@@ -101,7 +105,8 @@ define([
 		var urls = [
 			'javascript:alert("XSS");',
 			'jav	ascript:alert(\'XSS\');',
-			'vbscript:msgbox("XSS")'
+			'vbscript:msgbox("XSS")',
+			'data:application/javascript;alert("xss")'
 		];
 
 		expect(urls.length);