Improved URL sanitizer

2024-04-01 19:34:02 +02:00 · 2024-04-01 19:34:02 +02:00 · 133d01bd11
commit 133d01bd11
parent abb1b0c3fc
2 changed files with 6 additions and 2 deletions
--- a/Render.go
+++ b/Render.go
@ -171,6 +171,8 @@ func (r *renderer) writeText(markdown string) {
 }
 func sanitizeURL(linkURL string) string {
 	linkURL = strings.TrimSpace(linkURL)
 	if strings.HasPrefix(strings.ToLower(linkURL), "javascript:") {
 		return ""
 	}
--- a/Render_test.go
+++ b/Render_test.go
@ -56,6 +56,8 @@ func TestCombined(t *testing.T) {
 func TestSecurity(t *testing.T) {
 	assert.Equal(t, markdown.Render("[text](javascript:alert(\"xss\"))"), "<p><a href=\"\">text</a></p>")
 	assert.Equal(t, markdown.Render("[text](javAscRipt:alert(\"xss\"))"), "<p><a href=\"\">text</a></p>")
-	assert.Equal(t, markdown.Render("[text](\"><div>html</div>)"), "<p><a href=\"&#34;&gt;&lt;div&gt;html&lt;/div&gt;\">text</a></p>")
+	assert.Equal(t, markdown.Render("[text]( javascript:alert(\"xss\"))"), "<p><a href=\"\">text</a></p>")
-	assert.Equal(t, markdown.Render("[<div>html</div>]()"), "<p><a href=\"\">&lt;div&gt;html&lt;/div&gt;</a></p>")
+	assert.Equal(t, markdown.Render("[text]('javAscRipt:alert(\"xss\")')"), "<p><a href=\"&#39;javAscRipt:alert(&#34;xss&#34;)&#39;\">text</a></p>")
 	assert.Equal(t, markdown.Render("[text](\"><script>alert(123)</script>)"), "<p><a href=\"&#34;&gt;&lt;script&gt;alert(123)&lt;/script&gt;\">text</a></p>")
 	assert.Equal(t, markdown.Render("[<script>alert(123)</script>]()"), "<p><a href=\"\">&lt;script&gt;alert(123)&lt;/script&gt;</a></p>")
 }