From 35c015d8331cd381f9608e4c287edec1564b51c1 Mon Sep 17 00:00:00 2001 From: MiLTanT Date: Mon, 12 Aug 2024 15:56:20 +0200 Subject: [PATCH 1/2] Prevent adding http: in front of https links --- src/LinkToken.coffee | 2 +- test/parserTest.coffee | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/LinkToken.coffee b/src/LinkToken.coffee index 10e0c09..50d70ad 100644 --- a/src/LinkToken.coffee +++ b/src/LinkToken.coffee @@ -5,7 +5,7 @@ class LinkToken toHTML: -> if @manialink and not /^maniaplanet:/i.test(@link) @link = "maniaplanet://#manialink=" + @link - if not @manialink and not /^http:/i.test(@link) + if not @manialink and not /^https?:/i.test(@link) @link = "http://" + @link return '' diff --git a/test/parserTest.coffee b/test/parserTest.coffee index 340a86f..fc4aba0 100644 --- a/test/parserTest.coffee +++ b/test/parserTest.coffee @@ -20,6 +20,8 @@ describe 'Parser', -> expect(Parser.toHTML('$l[www.clan-nuitblanche.org]$fff$l')).to.equal('') it 'should add http protocol to external links', -> expect(Parser.toHTML('$l[maniaplanet.com]maniaplanet$l')).to.equal('maniaplanet') + it 'shouldn\'t add http to links already starting with https', -> + expect(Parser.toHTML('$l[https://maniaplanet.com]a')).to.equal('a') it 'should add maniaplanet protocol to internal links', -> expect(Parser.toHTML('$h[maniaflash]ManiaFlash$h')).to.equal('ManiaFlash') it 'should handle color codes', -> From 2544781d00e9f177ba9e24788e15be30cfc65763 Mon Sep 17 00:00:00 2001 From: MiLTanT Date: Mon, 12 Aug 2024 16:19:49 +0200 Subject: [PATCH 2/2] Add escaping of html entities (fix xss) --- src/Encode.coffee | 5 +++++ src/LinkToken.coffee | 4 ++++ src/Token.coffee | 3 +++ test/parserTest.coffee | 10 ++++++++++ 4 files changed, 22 insertions(+) create mode 100644 src/Encode.coffee diff --git a/src/Encode.coffee b/src/Encode.coffee new file mode 100644 index 0000000..9faa0de --- /dev/null +++ b/src/Encode.coffee @@ -0,0 +1,5 @@ +class Encode + @htmlEntities: (text) -> + return text.replace /[&<>'"]/g, (match) -> '&#' + match.charCodeAt(0) + ';' + +exports.Encode = Encode \ No newline at end of file diff --git a/src/LinkToken.coffee b/src/LinkToken.coffee index 50d70ad..b978b90 100644 --- a/src/LinkToken.coffee +++ b/src/LinkToken.coffee @@ -1,3 +1,5 @@ +{Encode} = require './Encode.coffee' + class LinkToken constructor: (@manialink = false, @link = "") -> @@ -7,6 +9,8 @@ class LinkToken @link = "maniaplanet://#manialink=" + @link if not @manialink and not /^https?:/i.test(@link) @link = "http://" + @link + + @link = Encode.htmlEntities(@link) return '' exports.LinkToken = LinkToken \ No newline at end of file diff --git a/src/Token.coffee b/src/Token.coffee index fe596ab..3e0c293 100644 --- a/src/Token.coffee +++ b/src/Token.coffee @@ -1,11 +1,14 @@ {Style} = require './Style.coffee' {Color} = require './Color.coffee' +{Encode} = require './Encode.coffee' class Token constructor: (@style = 0, @text = '') -> toHTML: -> styleStack = [] + @text = Encode.htmlEntities(@text) + if @style if @style & Style.COLORED # Converting string to hex diff --git a/test/parserTest.coffee b/test/parserTest.coffee index fc4aba0..9935b7f 100644 --- a/test/parserTest.coffee +++ b/test/parserTest.coffee @@ -34,3 +34,13 @@ describe 'Parser', -> expect(Parser.toHTML('$l[maniaplanet.com]Maniaplanet', disableLinks: true)).to.equal('Maniaplanet') it 'should be darker text with lightBackground', -> expect(Parser.toHTML('$fffText', lightBackground: true)).to.equal('Text') + it 'should encode html tags', -> + expect(Parser.toHTML('')).to.equal('<script>alert("foo")</script>') + it 'should encode html attributes', -> + expect(Parser.toHTML('')).to.equal('<img onerror="alert('foo')" />') + it 'should encode html comments', -> + expect(Parser.toHTML('')).to.equal('<!-- foo -->') + it 'should encode html entities', -> + expect(Parser.toHTML('foo & bar & baz')).to.equal('foo &amp; bar & baz') + it 'should encode html entities in links', -> + expect(Parser.toHTML('$l[http://test.com">]foo & bar$l')).to.equal('foo & bar') \ No newline at end of file