feat: restore plugin sanitize function, rename to sanitizeUrl

hexojs · Jul 12, 2019 · ce94875 · ce94875
1 parent 28ce9bf
commit ce94875
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -28,6 +28,7 @@ marked:
   smartypants: true
   modifyAnchors: ''
   autolink: true
+  sanitizeUrl: false
 ```
 
 - **gfm** - Enables [GitHub flavored markdown](https://help.github.com/articles/github-flavored-markdown)
@@ -37,6 +38,7 @@ marked:
 - **smartypants** - Use "smart" typograhic punctuation for things like quotes and dashes.
 - **modifyAnchors** - Use for transform anchorIds. if `1` to lowerCase and if `2` to upperCase. **Must be integer**.
 - **autolink** - Enable autolink for URLs. E.g. `https://hexo.io` will become `<a href="https://hexo.io">https://hexo.io</a>`.
+- **sanitizeUrl** - Remove URLs that start with `javascript:`, `vbscript:` and `data:`.
 
 ## Extras
 

diff --git a/index.js b/index.js
@@ -11,7 +11,8 @@ hexo.config.marked = Object.assign({
   smartLists: true,
   smartypants: true,
   modifyAnchors: '',
-  autolink: true
+  autolink: true,
+  sanitizeUrl: false
 }, hexo.config.marked);
 
 hexo.extend.renderer.register('md', 'html', renderer, true);

diff --git a/lib/renderer.js b/lib/renderer.js
@@ -35,6 +35,22 @@ function anchorId(str, transformOption) {
 
 // Support AutoLink option
 Renderer.prototype.link = function(href, title, text) {
+  if (this.options.sanitizeUrl) {
+    let prot;
+
+    try {
+      prot = decodeURIComponent(unescape(href))
+          .replace(/[^\w:]/g, '')
+          .toLowerCase();
+    } catch (e) {
+      return '';
+    }
+
+    if (prot.startsWith('javascript:') || prot.startsWith('vbscript:') || prot.startsWith('data:')) {
+      return '';
+    }
+  }
+
   if (!this.options.autolink && href === text && title == null) {
     return href;
   }