Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In order to fix #80, a simple call to escape is sufficient. However, #87 is actually a beast. It is fairly easy to fix if you would use a whitelist of allowed schemes (HTTP, HTTPS, ...) but for a general markdown parser I figured this would be too much of a burden to use for developers. You probably expect things to just work. Thus, I attempted to implement a blacklist. The attack vectors this could should protect against are listed in the test case, but here is an explanation for each of them:
javascript:alert
1``: Standard. You protected against this already.jAvAsCrIpT:alert
1``: Just a little variation on the original vector (still works in every browser)javascript:alert
1``: The entity attack. Every browser will first decode the entity and then execute our payload (https://jsfiddle.net/kLv02bun/).\x1Ajavascript:alert
1``: The "weird" one. Different browsers allow different characters in front of (and after) a scheme. This vector is for Chrome (https://jsfiddle.net/fxdfn1g6/). This is the reason I had to cut out nonalphanumeric characters in the escape_link function.data:text/html,<script>alert
1``</script>: Just a variation on the scheme. Even though it alerts in every browser, it is actually only a danger in Firefox.vbscript:msgbox
: Protect against old Internet Explorer XSS. For good measure.Note, that I had to fix an unrelated test case which used links. As far as my understanding of the HTML spec goes, it is more correct now, as & always has to be transformed to
&
due to its special meaning.