From 13e97eb56b747d67864471608f29aa9147a6a76a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9A=D0=BE=D1=81=D1=82=D1=8F=20=D0=A2=D1=80=D0=B5=D1=82?= =?UTF-8?q?=D1=8F=D0=BA?= Date: Tue, 2 Jan 2018 19:05:01 +0200 Subject: [PATCH] Fix auto_links secure Related to https://github.com/chjj/marked/pull/814 --- lib/marked.js | 4 ++-- test/tests/auto_links.html | 22 +++++++++++++++----- test/tests/auto_links.text | 21 ++++++++++++++----- test/tests/mangle_xss.sanatize.nomangle.html | 2 +- 4 files changed, 36 insertions(+), 13 deletions(-) diff --git a/lib/marked.js b/lib/marked.js index 6f0e87c4c5..bf335fe074 100644 --- a/lib/marked.js +++ b/lib/marked.js @@ -445,9 +445,9 @@ Lexer.prototype.token = function(src, top, bq) { var inline = { escape: /^\\([\\`*{}\[\]()#+\-.!_>])/, - autolink: /^<([^ >]+(@|:\/)[^ >]+)>/, + autolink: /^<([^ <>]+(@|:\/)[^ <>]+)>/, url: noop, - tag: /^|^<\/?\w+(?:"[^"]*"|'[^']*'|[^'">])*?>/, + tag: /^|^<\/?\w+(?:"[^"]*"|'[^']*'|[^<'">])*?>/, link: /^!?\[(inside)\]\(href\)/, reflink: /^!?\[(inside)\]\s*\[([^\]]*)\]/, nolink: /^!?\[((?:\[[^\]]*\]|[^\[\]])*)\]/, diff --git a/test/tests/auto_links.html b/test/tests/auto_links.html index f8df9852c7..898fed622d 100644 --- a/test/tests/auto_links.html +++ b/test/tests/auto_links.html @@ -1,18 +1,30 @@

Link: http://example.com/.

-

With an ampersand: http://example.com/?foo=1&bar=2

+

With an ampersand: http://example1.com/?foo=1&bar=2

-

Blockquoted: http://example.com/

+

Blockquoted: http://example3.com/

-

Auto-links should not occur here: <http://example.com/>

+

Auto-links should not occur here: <http://example4.com/>

-
or here: <http://example.com/>
+
or here: <http://example5.com/>
 

+
+
Open angle bracket with link:

+
+
<http://example6.com

+
+
With space: < http://example7.com

+
+
With content: <1 http://example8.com

+
+
hello world
+http://example9.com
+

diff --git a/test/tests/auto_links.text b/test/tests/auto_links.text
index f85767b48a..7a017f00ae 100644
--- a/test/tests/auto_links.text
+++ b/test/tests/auto_links.text
@@ -1,13 +1,24 @@
 Link: .
 
-With an ampersand: 
+With an ampersand: 
 
 * In a list?
-* 
+* 
 * It should.
 
-> Blockquoted: 
+> Blockquoted: 
 
-Auto-links should not occur here: ``
+Auto-links should not occur here: ``
 
-	or here: 
+	or here: 
+
+Open angle bracket with link:
+
+<
+
+With space: < 
+
+With content: <1 
+
+hello world
+
diff --git a/test/tests/mangle_xss.sanatize.nomangle.html b/test/tests/mangle_xss.sanatize.nomangle.html
index 9f87f09a43..83a7b355d6 100644
--- a/test/tests/mangle_xss.sanatize.nomangle.html
+++ b/test/tests/mangle_xss.sanatize.nomangle.html
@@ -1,3 +1,3 @@
-
<svg/onload="alert(1)"//@x

+
<svg/onload="alert(1)"//@x

 
 
bar"onclick="alert('XSS')"@foo