From 133d01bd11151d7e80bbc1dc5d5f2b728dc8cdf8 Mon Sep 17 00:00:00 2001 From: Eduard Urbach <admin@akyoto.dev> Date: Mon, 1 Apr 2024 19:34:02 +0200 Subject: [PATCH] Improved URL sanitizer --- Render.go | 2 ++ Render_test.go | 6 ++++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/Render.go b/Render.go index 8c1fa2b..1447a87 100644 --- a/Render.go +++ b/Render.go @@ -171,6 +171,8 @@ func (r *renderer) writeText(markdown string) { } func sanitizeURL(linkURL string) string { + linkURL = strings.TrimSpace(linkURL) + if strings.HasPrefix(strings.ToLower(linkURL), "javascript:") { return "" } diff --git a/Render_test.go b/Render_test.go index e47ce23..4ccecaa 100644 --- a/Render_test.go +++ b/Render_test.go @@ -56,6 +56,8 @@ func TestCombined(t *testing.T) { func TestSecurity(t *testing.T) { assert.Equal(t, markdown.Render("[text](javascript:alert(\"xss\"))"), "<p><a href=\"\">text</a></p>") assert.Equal(t, markdown.Render("[text](javAscRipt:alert(\"xss\"))"), "<p><a href=\"\">text</a></p>") - assert.Equal(t, markdown.Render("[text](\"><div>html</div>)"), "<p><a href=\""><div>html</div>\">text</a></p>") - assert.Equal(t, markdown.Render("[<div>html</div>]()"), "<p><a href=\"\"><div>html</div></a></p>") + assert.Equal(t, markdown.Render("[text]( javascript:alert(\"xss\"))"), "<p><a href=\"\">text</a></p>") + assert.Equal(t, markdown.Render("[text]('javAscRipt:alert(\"xss\")')"), "<p><a href=\"'javAscRipt:alert("xss")'\">text</a></p>") + assert.Equal(t, markdown.Render("[text](\"><script>alert(123)</script>)"), "<p><a href=\""><script>alert(123)</script>\">text</a></p>") + assert.Equal(t, markdown.Render("[<script>alert(123)</script>]()"), "<p><a href=\"\"><script>alert(123)</script></a></p>") }