go/markdown
Code Issues Pull Requests Activity

Improved URL sanitizer

Browse Source
This commit is contained in:
Eduard Urbach
2024-04-01 19:34:02 +02:00
parent abb1b0c3fc
commit 133d01bd11
2 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
Render_test.go
View File

@ -56,6 +56,8 @@ func TestCombined(t *testing.T) {
func TestSecurity(t *testing.T) {
assert.Equal(t, markdown.Render("[text](javascript:alert(\"xss\"))"), "<p><a href=\"\">text</a></p>")
assert.Equal(t, markdown.Render("[text](javAscRipt:alert(\"xss\"))"), "<p><a href=\"\">text</a></p>")
assert.Equal(t, markdown.Render("[text](\"><div>html</div>)"), "<p><a href=\"&#34;&gt;&lt;div&gt;html&lt;/div&gt;\">text</a></p>")
assert.Equal(t, markdown.Render("[<div>html</div>]()"), "<p><a href=\"\">&lt;div&gt;html&lt;/div&gt;</a></p>")
assert.Equal(t, markdown.Render("[text]( javascript:alert(\"xss\"))"), "<p><a href=\"\">text</a></p>")
assert.Equal(t, markdown.Render("[text]('javAscRipt:alert(\"xss\")')"), "<p><a href=\"&#39;javAscRipt:alert(&#34;xss&#34;)&#39;\">text</a></p>")
assert.Equal(t, markdown.Render("[text](\"><script>alert(123)</script>)"), "<p><a href=\"&#34;&gt;&lt;script&gt;alert(123)&lt;/script&gt;\">text</a></p>")
assert.Equal(t, markdown.Render("[<script>alert(123)</script>]()"), "<p><a href=\"\">&lt;script&gt;alert(123)&lt;/script&gt;</a></p>")
}