aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPhilipp Hagemeister <phihag@phihag.de>2013-02-05 18:50:21 +0100
committerPhilipp Hagemeister <phihag@phihag.de>2013-02-05 18:50:21 +0100
commitf608517d9e1dee126431aafedabdabaa03ec2937 (patch)
treed3f60375488b2d63bac3d24b0a41d1af3073e213
parentc201f3c706316fbafff51631ce86a0a3784f3218 (diff)
downloadmarkdown-f608517d9e1dee126431aafedabdabaa03ec2937.tar.gz
markdown-f608517d9e1dee126431aafedabdabaa03ec2937.tar.bz2
markdown-f608517d9e1dee126431aafedabdabaa03ec2937.zip
Forbid javascript:// URLs in safe mode
Diffstat
-rw-r--r--markdown/inlinepatterns.py3
-rw-r--r--tests/safe_mode/link-targets.html2
-rw-r--r--tests/safe_mode/link-targets.txt3
3 files changed, 8 insertions, 0 deletions
diff --git a/markdown/inlinepatterns.py b/markdown/inlinepatterns.py
index a1b264c..1ebb310 100644
--- a/markdown/inlinepatterns.py
+++ b/markdown/inlinepatterns.py
@@ -364,6 +364,9 @@ class LinkPattern(Pattern):
# Not a safe url
return ''
+ if scheme == 'javascript':
+ return ''
+
# Url passes all tests. Return url as-is.
return urlunparse(url)
diff --git a/tests/safe_mode/link-targets.html b/tests/safe_mode/link-targets.html
new file mode 100644
index 0000000..768ae5b
--- /dev/null
+++ b/tests/safe_mode/link-targets.html
@@ -0,0 +1,2 @@
+<p><a href="">XSS</a>
+See http://security.stackexchange.com/q/30330/1261 for details.</p> \ No newline at end of file
diff --git a/tests/safe_mode/link-targets.txt b/tests/safe_mode/link-targets.txt
new file mode 100644
index 0000000..10eebda
--- /dev/null
+++ b/tests/safe_mode/link-targets.txt
@@ -0,0 +1,3 @@
+[XSS](javascript://%0Aalert%28'XSS'%29;)
+See http://security.stackexchange.com/q/30330/1261 for details.
+
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-05 12:37:24 +0000