From 93543c216b337bfca6f1cb388d6ecf01e6cbcbce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominykas=20Blyz=CC=8Ce=CC=87?= Date: Tue, 14 May 2019 15:14:36 +0300 Subject: [PATCH] fix: disallow ascii control characters in URLs Closes https://github.com/jonschlinkert/remarkable/issues/332 The code here is very similar to other markdown libraries, so I pretty much did what they do: - https://github.com/npm/marky-markdown/blob/008509231558765695938020a376b5b2e4fd4fcc/lib/gfm/override-link-destination-parser.js#L67 - https://github.com/markdown-it/markdown-it/blob/ba6830ba13fb92953a91fb90318964ccd15b82c4/lib/helpers/parse_link_destination.js#L53 --- lib/helpers/parse_link_destination.js | 3 ++- test/fixtures/commonmark/good.txt | 8 ++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/lib/helpers/parse_link_destination.js b/lib/helpers/parse_link_destination.js index 3cf20559..9586339c 100644 --- a/lib/helpers/parse_link_destination.js +++ b/lib/helpers/parse_link_destination.js @@ -52,7 +52,8 @@ module.exports = function parseLinkDestination(state, pos) { if (code === 0x20) { break; } - if (code > 0x08 && code < 0x0e) { break; } + // ascii control chars + if (code < 0x20 || code === 0x7F) { break; } if (code === 0x5C /* \ */ && pos + 1 < max) { pos += 2; diff --git a/test/fixtures/commonmark/good.txt b/test/fixtures/commonmark/good.txt index 7d2a112e..3361eb6c 100644 --- a/test/fixtures/commonmark/good.txt +++ b/test/fixtures/commonmark/good.txt @@ -5546,3 +5546,11 @@ Multiple spaces

Multiple spaces

. +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +src line: 5550 + +. +[xss](javascript:alert(1)) +. +

[xss](javascript:alert(1))

+.