added data: link fix to prevent xss

2024-11-23 09:48:17 +00:00 · 2017-01-19 15:03:37 -08:00 · 2017-01-19 15:03:37 -08:00 · cd2f6f5b70
commit cd2f6f5b70
parent 38f1727ffe
3 changed files with 5 additions and 2 deletions
--- a/lib/marked.js
+++ b/lib/marked.js
@ -875,7 +875,7 @@ Renderer.prototype.link = function(href, title, text) {
    } catch (e) {
      return '';
    }
-    if (prot.indexOf('javascript:') === 0 || prot.indexOf('vbscript:') === 0) {
+    if (prot.indexOf('javascript:') === 0 || prot.indexOf('vbscript:') === 0 || prot.indexOf('data:') === 0) {
      return '';
    }
  }
--- a/test/tests/links.sanitize.html
+++ b/test/tests/links.sanitize.html
@ -1,4 +1,5 @@
 <p></p>
 <p></p>
 <p></p>
+<p></p>
 <p></p>
--- a/test/tests/links.sanitize.text
+++ b/test/tests/links.sanitize.text
@ -4,4 +4,6 @@

 [URL](javascript&colon;alert&#40;1&#41;)

-[URL](javascript&#58document;alert&#40;1&#41;)
+[URL](javascript&#58document;alert&#40;1&#41;)
+
+[URL](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)