Merge pull request #140 from junorouse/master

Fix XXS
lepture · Oct 26, 2017 · ab8f7de · ab8f7de
2 parents 5b8c3f7 + d6f0b64
commit ab8f7de
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 2 deletions.
diff --git a/mistune.py b/mistune.py
@@ -75,8 +75,9 @@ def escape(text, quote=False, smart_amp=True):
 def escape_link(url):
     """Remove dangerous URL schemes like javascript: and escape afterwards."""
     lower_url = url.lower().strip('\x00\x1a \n\r\t')
+
     for scheme in _scheme_blacklist:
-        if lower_url.startswith(scheme):
+        if re.sub(r'[^A-Za-z0-9\/:]+', '', lower_url).startswith(scheme):
             return ''
     return escape(url, quote=True, smart_amp=False)
 
@@ -844,7 +845,7 @@ def autolink(self, link, is_email=False):
         :param link: link content or email address.
         :param is_email: whether this is an email or not.
         """
-        text = link = escape(link)
+        text = link = escape_link(link)
         if is_email:
             link = 'mailto:%s' % link
         return '<a href="%s">%s</a>' % (link, text)

diff --git a/tests/__init__.py b/tests/__init__.py
diff --git a/tests/test_extra.py b/tests/test_extra.py
@@ -23,6 +23,8 @@ def test_safe_links():
         ('javascript:alert`1`', ''),
         # bypass attempt
         ('jAvAsCrIpT:alert`1`', ''),
+        # bypass with newline 
+        ('javasc\nript:alert`1`', ''),
         # javascript pseudo protocol with entities
         ('javascript&colon;alert`1`', 'javascript&amp;colon;alert`1`'),
         # javascript pseudo protocol with prefix (dangerous in Chrome)