diff options
| author | Waylan Limberg <waylan@gmail.com> | 2008-03-18 04:41:33 +0000 |
|---|---|---|
| committer | Waylan Limberg <waylan@gmail.com> | 2008-03-18 04:41:33 +0000 |
| commit | 2db5d1c8e469d2943a6a851bc0ff3ede070e448b (patch) | |
| tree | 4bbe9a96e275fe7edd02c6d6309f1bf60d7495b9 /tests | |
| parent | 04cfb29071c4235aca2a4725317d83424ecb5b3a (diff) | |
| download | markdown-2db5d1c8e469d2943a6a851bc0ff3ede070e448b.tar.gz markdown-2db5d1c8e469d2943a6a851bc0ff3ede070e448b.tar.bz2 markdown-2db5d1c8e469d2943a6a851bc0ff3ede070e448b.zip | |
Added sanatition of link urls when in safe_mode to no longer allow javascript. Not yet convinced I got all cases, but it's much better than before. Also added some tests although testing framework doesn't currently have the option to run in safe_mode. See [1914685] for more info.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/safe_mode/unsafe_urls.html | 24 | ||||
| -rw-r--r-- | tests/safe_mode/unsafe_urls.txt | 27 |
2 files changed, 51 insertions, 0 deletions
diff --git a/tests/safe_mode/unsafe_urls.html b/tests/safe_mode/unsafe_urls.html new file mode 100644 index 0000000..8eda30d --- /dev/null +++ b/tests/safe_mode/unsafe_urls.html @@ -0,0 +1,24 @@ +<p>These links should be unsafe and not allowed in safe_mode +</p> +<p><a href="">link</a> + <a href="">link</a> + <a href="">link</a> + <a href="">link</a> + <a href="">link</a> + <a href="">link</a> + <a href="">link</a> + <a href="">link</a> + <a href="">link</a> + <a href="">link</a> + <a href="">link</a> +</p> +<p><img src="" alt="img"/><a href="">ref</a> + <img src="" alt="imgref"/> +</p> +<p>These should work regardless: +</p> +<p><a href="relative/url.html">relative</a> + <a href="mailto:foo@bar.com">email</a> + <a href="news:some.news.group.com">news scheme</a> + <a href="http://example.com">http link</a> +</p>
\ No newline at end of file diff --git a/tests/safe_mode/unsafe_urls.txt b/tests/safe_mode/unsafe_urls.txt new file mode 100644 index 0000000..7bfd81d --- /dev/null +++ b/tests/safe_mode/unsafe_urls.txt @@ -0,0 +1,27 @@ +These links should be unsafe and not allowed in safe_mode + +[link](javascript:alert%28'Hello%20world!'%29) +[link](vbscript:msgbox%28%22Hello%20world!%22%29) +[link](livescript:alert%28'Hello%20world!'%29) +[link](mocha:[code]) +[link](jAvAsCrIpT:alert%28'Hello%20world!'%29) +[link](ja vas cr ipt:alert%28'Hello%20world!'%29) +[link](ja vas cr ipt:alert%28'Hello%20world!'%29) +[link](ja vas cr ipt:alert%28'Hello%20world!'%29) +[link](ja%09 %0Avas cr
ipt:alert%28'Hello%20world!'%29) +[link](ja%20vas%20cr%20ipt:alert%28'Hello%20world!'%29) +[link](live%20script:alert%28'Hello%20world!'%29) + + +[ref][] +![imgref][] + +[ref]: javascript:alert%29'XSS'%29 +[imgref]: javascript:alert%29'XSS'%29 + +These should work regardless: + +[relative](relative/url.html) +[email](mailto:foo@bar.com) +[news scheme](news:some.news.group.com) +[http link](http://example.com) |